$OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ Copyright (c) 1999 Angelos D. Keromytis All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of con...
NAMEenc - Encapsulating Interface
SYNOPSISTo compile this driver into the kernel, place the following line in your kernel configuration file:
DESCRIPTIONThe sysctl Cm net.inet.tcp.syncookies interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that hooks in via the pfil(9) framework.
The sysctl Cm net.inet.tcp.syncookies interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by ipsec(4) via tcpdump(1).
The ``enc0 '' interface inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on ``enc0 '' and all IPsec traffic could be seen by invoking tcpdump(1) on the ``enc0 '' interface.
- Name Defaults Suggested
- "net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001"
For the incoming path a value of
0x1 means ``before stripping off the outer header '' and 0x2 means ``after stripping off the outer header '' For the outgoing path 0x1 means ``with only the inner header '' and 0x2 means ``with outer and inner headers ''
incoming path |------| ---- IPsec processing ---- (before) ---- (after) ----> | | | Host | <--- IPsec processing ---- (after) ----- (before) ---- | | outgoing path |------|
Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer headers.
EXAMPLESTo see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:
"tcpdump -i enc0"