if_enc (4)
Leading comments
$OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ Copyright (c) 1999 Angelos D. Keromytis All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of con...
NAME
enc - Encapsulating InterfaceSYNOPSIS
To compile this driver into the kernel, place the following line in your kernel configuration file:device enc
DESCRIPTION
The interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that hooks in via the pfil(9) framework.The interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by ipsec(4) via tcpdump(1).
The ``enc0 '' interface inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on ``enc0 '' and all IPsec traffic could be seen by invoking tcpdump(1) on the ``enc0 '' interface.
What can be seen with tcpdump(1) and what will be passed on to the firewalls via the pfil(9) framework can be independently controlled using the following sysctl(8) variables:
- Name Defaults Suggested
- "net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001"
- "net.enc.out.ipsec_filter_mask0x000000010x00000001"
- "net.enc.in.ipsec_bpf_mask0x000000010x00000002"
- "net.enc.in.ipsec_filter_mask0x000000010x00000002"
For the incoming path a value of
0x1
means
``before stripping off the outer header
''
and
0x2
means
``after stripping off the outer header
''
For the outgoing path
0x1
means
``with only the inner header
''
and
0x2
means
``with outer and inner headers
''
incoming path |------| ---- IPsec processing ---- (before) ---- (after) ----> | | | Host | <--- IPsec processing ---- (after) ----- (before) ---- | | outgoing path |------|
Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer headers.
EXAMPLES
To see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:
"tcpdump -i enc0"