GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
ENC(4) FreeBSD Kernel Interfaces Manual ENC(4)

enc
Encapsulating Interface

To compile this driver into the kernel, place the following line in your kernel configuration file:
device enc

Alternatively, to load the driver as a module at boot time, place the following line in loader.conf(5):

if_enc_load="YES"

The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that hooks in via the pfil(9) framework.

The enc interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by ipsec(4) via tcpdump(1).

The “enc0” interface inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on “enc0”, and all IPsec traffic could be seen by invoking tcpdump(1) on the “enc0” interface.

What can be seen with tcpdump(1) and what will be passed on to the firewalls via the pfil(9) framework can be independently controlled using the following sysctl(8) variables:

Name Defaults Suggested
net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001
net.enc.out.ipsec_filter_mask 0x00000001 0x00000001
net.enc.in.ipsec_bpf_mask 0x00000001 0x00000002
net.enc.in.ipsec_filter_mask 0x00000001 0x00000002

For the incoming path a value of 0x1 means “before stripping off the outer header” and 0x2 means “after stripping off the outer header”. For the outgoing path 0x1 means “with only the inner header” and 0x2 means “with outer and inner headers”.

incoming path                                          |------|
---- IPsec processing ---- (before) ---- (after) ----> |      |
                                                       | Host |
<--- IPsec processing ---- (after) ----- (before) ---- |      |
outgoing path                                          |------|

Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer headers.

Note that packets are captured by BPF before firewall processing. The special value 0x4 can be configured in the ipsec_bpf_mask and packets will be also captured after firewall processing.

To see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:

tcpdump -i enc0

tcpdump(1), bpf(4), ipf(4), ipfw(4), ipsec(4), pf(4)
August 9, 2017 FreeBSD 13.1-RELEASE
Search for    or go to Top of page |  Section 4 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.