enc man page on OpenBSD

Man page or keyword search:  
man Server   11362 pages
apropos Keyword Search (all sections)
Output format
OpenBSD logo
[printable version]

ENC(4)			  OpenBSD Programmer's Manual			ENC(4)

NAME
     enc - encapsulating interface

SYNOPSIS
     pseudo-device enc

DESCRIPTION
     The enc interface is a virtual interface for ipsec(4) traffic.  It allows
     packet filtering using pf(4); prior to encapsulation and after
     decapsulation, packets may be monitored using tcpdump(8).

     An enc interface can be created at runtime using the ifconfig encN create
     command or by setting up a hostname.if(5) configuration file for
     netstart(8).  The enc0 interface will always exist and cannot be
     destroyed using ifconfig(8).

     Packet filtering is documented in greater detail in pf.conf(5), however
     some details relevant to filtering on the enc interface are documented
     below.

     Firstly, pf(4) is a stateful packet filter, which means it can track the
     state of a connection.  It does this automatically.  States are normally
     floating, which means they can match packets on any interface.  However
     this is a potential problem for filtering IPsec traffic: states need to
     be interface bound, to avoid permitting unencrypted traffic should the
     SAs expire and not be replaced.  Therefore all rules on the enc interface
     should explicitly set ``keep state (if-bound)''.  For example:

	   pass in on enc0 proto ipencap from 172.25.0.45 to 1.2.3.4 \
		   keep state (if-bound)

     Secondly, the enc interface does not directly support bandwidth control
     via pf(4) queueing.  Instead, IPsec packets must be tagged and the tagged
     packets are assigned to queues.  ipsec.conf(5) provides an example of
     tag-based queueing and further information on packet tagging.

     Finally, the use of translation rules to map and redirect network traffic
     requires some care.  Packets destined to be IPsec processed are seen by
     the filter/translation engine twice, both before and after being IPsec
     processed.	 If a packet's translated address on the way back fails to
     match an existing IPsec flow, from the translated address to the original
     source address, it will be discarded by the filter.  It is best to avoid
     this situation where possible, though a flow may be explicitly created to
     work around it.

     As noted above, tcpdump(8) may be invoked on the enc interface to see
     packets prior to encapsulation and after decapsulation.  For example:

	# tcpdump -envps 1500 -i enc0 -l | grep 10.0.0.33
	tcpdump: WARNING: enc0: no IPv4 address assigned
	tcpdump: listening on enc0, link-type ENC
	15:05:08.934708 (authentic,confidential): SPI 0x6bcac587: \
		172.25.0.45 > 1.2.3.4: 10.9.9.28.7001 > 10.0.0.33.7000: \
		[udp sum ok] udp 52 (ttl 64, id 5672, len 80) \
		(ttl 64, id 30009, len 100, bad cksum 0!)
	15:05:09.063517 (authentic,confidential): SPI 0x4b70c05a: \
		1.2.3.4 > 172.25.0.45: 10.0.0.33.7000 > 10.9.9.28.7001: \
		[udp sum ok] udp 156 (ttl 63, id 14880, len 184) \
		(ttl 51, id 19689, len 204)

     The packets above show (for each direction): date, ESP (not AH), SPI,
     direction, and encapsulated part.	The first packet is headed from
     172.25.0.45 to 1.2.3.4 and the encapsulated part from 10.9.9.28 to
     10.0.0.33.

     Negotiations can be watched on the physical interface too:

	# tcpdump -envps 1500 -i wi0 port 500 or port 4500
	tcpdump: listening on wi0, link-type EN10MB
	15:15:58.188747 0:2:6f:3a:3f:3e 0:10:f3:3:bd:8a 0800 226: \
	    172.25.0.45.500 > 1.2.3.4.500: [udp sum ok] \
	[...]
		attribute ENCRYPTION_ALGORITHM = AES_CBC
		attribute HASH_ALGORITHM = SHA
		attribute AUTHENTICATION_METHOD = RSA_SIG
		attribute GROUP_DESCRIPTION = MODP_1024
		attribute LIFE_TYPE = SECONDS
		attribute LIFE_DURATION = 3600
		attribute KEY_LENGTH = 128
	[...]
	15:15:59.080058 0:10:f3:3:bd:8a 0:2:6f:3a:3f:3e 0800 226: \
	    1.2.3.4.500 > 172.25.0.45.500: [udp sum ok] \
	[...]
		attribute ENCRYPTION_ALGORITHM = AES_CBC
		attribute HASH_ALGORITHM = SHA
		attribute AUTHENTICATION_METHOD = RSA_SIG
		attribute GROUP_DESCRIPTION = MODP_1024
		attribute LIFE_TYPE = SECONDS
		attribute LIFE_DURATION = 3600
		attribute KEY_LENGTH = 128
	[...]

     The attribute lines for the negotiation must match.

SEE ALSO
     ipsec(4), pf(4), ipsec.conf(5), pf.conf(5), tcpdump(8)

OpenBSD 4.9			 June 29, 2010			   OpenBSD 4.9
[top]

List of man pages available for OpenBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net