From owner-svn-src-projects@freebsd.org Tue Jan 24 19:42:26 2017 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06F2BCC07C6 for ; Tue, 24 Jan 2017 19:42:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BBE8A139E; Tue, 24 Jan 2017 19:42:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0OJgOS2085560; Tue, 24 Jan 2017 19:42:24 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0OJgODV085557; Tue, 24 Jan 2017 19:42:24 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201701241942.v0OJgODV085557@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 24 Jan 2017 19:42:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r312717 - projects/ipsec/share/man/man4 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2017 19:42:26 -0000 Author: ae Date: Tue Jan 24 19:42:24 2017 New Revision: 312717 URL: https://svnweb.freebsd.org/changeset/base/312717 Log: Add if_ipsec(4) manual page and document new ipsec sysctl variables. Added: projects/ipsec/share/man/man4/if_ipsec.4 (contents, props changed) Modified: projects/ipsec/share/man/man4/Makefile projects/ipsec/share/man/man4/ipsec.4 Modified: projects/ipsec/share/man/man4/Makefile ============================================================================== --- projects/ipsec/share/man/man4/Makefile Tue Jan 24 19:41:55 2017 (r312716) +++ projects/ipsec/share/man/man4/Makefile Tue Jan 24 19:42:24 2017 (r312717) @@ -201,6 +201,7 @@ MAN= aac.4 \ icmp.4 \ icmp6.4 \ ida.4 \ + if_ipsec.4 \ ifmib.4 \ ig4.4 \ igb.4 \ Added: projects/ipsec/share/man/man4/if_ipsec.4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/share/man/man4/if_ipsec.4 Tue Jan 24 19:42:24 2017 (r312717) @@ -0,0 +1,140 @@ +.\" Copyright (c) 2017 Andrey V. Elsukov +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd January 24, 2017 +.Dt if_ipsec 4 +.Os +.Sh NAME +.Nm if_ipsec +.Nd IPsec virtual tunneling interface +.Sh SYNOPSIS +The +.Cm if_ipsec +network interface is a part of +.Fx +IPsec implementation. +To compile it into the kernel, place the following line in the kernel +configuration file: +.Bd -ragged -offset indent +.Cd "options IPSEC" +.Ed +.Pp +Alternatively, it can be loaded as part of +.Cm ipsec +kernel module, if the kernel was compiled with: +.Bd -ragged -offset indent +.Cd "options IPSEC_SUPPORT" +.Ed +.Sh DESCRIPTION +The +.Nm +network interface is targeted for creating route-based VPNs. +It can tunnel IPv[46] traffic over IPv[46] and secure it using ESP. +.Pp +.Nm +interfaces are dynamically created and destroyed with the +.Xr ifconfig 8 +.Cm create +and +.Cm destroy +subcommands. +The administrator needs to configure IPsec +.Cm tunnel +endpoints addresses. +These addresses will be used for the outer IP header of ESP packets. +The administrator also can configure the protocol and addresses for the inner +IP header with +.Xr ifconfig 8 , +and modify the routing table to route the packets through the +.Nm +interface. +.Pp +When +.Nm +interface is configured, it automatically creates special security policies, +that may be used to acquire security associations from IKE daemon, needed for +establishing an IPsec tunnel. +Also it is possible to create needed security associations manually using +.Xr setkey 8 +utility. +.Pp +Each +.Nm +interface has additional numeric configuration option +.Cm reqid Ar id . +This +.Ar id +used to distinguish traffic and security policies between several +.Nm +interfaces. +The +.Cm reqid +can be specified on interface creating and changed later. +If it is not specified, it will be automatically assigned. +Note that changing of +.Cm reqid +will lead to generation of new security policies, and this +may require creating of new security associations. +.Sh EXAMPLES +The example below shows how to manually configure IPsec tunnel +between two FreeBSD hosts. Assuming host A has the IP address +192.168.0.3, and host B has the IP address 192.168.0.5. +.Pp +On host A: +.Bd -literal -offset indent +ifconfig ipsec0 create reqid 100 +ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 +ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2"; +^D +.Ed +.Pp +On host B: +.Bd -literal -offset indent +ifconfig ipsec0 create reqid 200 +ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3 +ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2"; +^D +.Ed +.Pp +Note the value 100 on host A and value 200 on host B are used as reqid. +The same values should be used as identifier of the policy entry in +the +.Xr setkey 8 +command. +.Sh SEE ALSO +.Xr gif 4 , +.Xr gre 4 , +.Xr ipsec 4 , +.Xr ifconfig 8 , +.Xr setkey 8 +.Sh AUTHORS +.An Andrey V. Elsukov Aq Mt ae@FreeBSD.org Modified: projects/ipsec/share/man/man4/ipsec.4 ============================================================================== --- projects/ipsec/share/man/man4/ipsec.4 Tue Jan 24 19:41:55 2017 (r312716) +++ projects/ipsec/share/man/man4/ipsec.4 Tue Jan 24 19:42:24 2017 (r312717) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 1, 2017 +.Dd January 24, 2017 .Dt IPSEC 4 .Os .Sh NAME @@ -239,6 +239,8 @@ for tweaking the kernel's IPsec behavior .It "net.inet.ipsec.dfbit integer yes" .It "net.inet.ipsec.ecn integer yes" .It "net.inet.ipsec.debug integer yes" +.It "net.inet.ipsec.natt_cksum_policy integer yes" +.It "net.inet.ipsec.check_policy_history integer yes" .It "net.inet6.ipsec6.ecn integer yes" .It "net.inet6.ipsec6.debug integer yes" .El @@ -281,6 +283,24 @@ talks more about the behavior. .It Li ipsec.debug If set to non-zero, debug messages will be generated via .Xr syslog 3 . +.It Li ipsec.natt_cksum_policy +This variable controls how the kernel handles TCP and UDP checksums +when ESP in UDP encapsulation is used for IPsec transport mode. +If set to non-zero value, the kernel fully recomputes checksums for +inbound TCP segments and UDP datagrams after they are decapsulated and +decrypted. +If set to 0 and original addresses were configured for corresponding SA +by the IKE daemon, the kernel will incrementally recompute checksums for +inbound TCP segments and UDP datagrams. +If addresses weren't configured, the checksums will be ignored. +.It Li ipsec.check_policy_history +This variable enables strict policy checking for inbound packets. +The default behavior for inbound security policies is just make sure, +that a handled by IPsec packet was decrypted and authenticated. +If this variable is set to non-zero value, each handled by IPsec packet +will be checked against the history of used IPsec security associations. +The check requires matching of the IPsec security protocol, mode, and SA +addresses. .El .Pp Variables under the @@ -316,6 +336,7 @@ routines from looking into the IP payloa .Xr ipsec_set_policy 3 , .Xr crypto 4 , .Xr enc 4 , +.Xr if_ipsec 4 , .Xr icmp6 4 , .Xr intro 4 , .Xr ip6 4 ,