summaryrefslogtreecommitdiff
path: root/share/man/man4/enc.4
blob: ad965f080958d2a8c594768a1445686d81cd5260 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
.\"	$OpenBSD: enc.4,v 1.4 1999/10/29 05:37:44 angelos Exp $
.Dd October 7, 1999
.Dt ENC 4
.Os
.Sh NAME
.Nm enc
.Nd Encapsulating Interface
.Sh SYNOPSIS
.Cd "pseudo-device enc 4"
.Sh DESCRIPTION
The
.Nm
interface is a software loopback mechanism that allows hosts or
firewalls to filter
.Xr ipsec 4
traffic using
.Xr ipf 5 .
The
.Xr vpn 8
manpage shows an example of such a setup.
.Pp
Another use is to allow the creation of virtual-ethernets, using
.Xr ipsec 4 .
See
.Xr bridge 4
and
.Xr ipsecadm 8
for more details. Briefly,
.Nm
interfaces can be part of a bridge configuration. Such interfaces are
treated as ethernet interfaces; packets sent to them by the bridge are
IPsec-processed and sent to the remote bridge (which reverses the process and
injects the original ethernet frames in the local ethernet segments).
Packets received with the appropriate IPsec SA are made to appear as if
they arrived over the corresponding
.Nm
interface, and are then processed by the bridge accordingly.
.Xr ipsecadm 8
is used to associate an
.Nm
interface with an IPsec SA. This is a one-to-one correspondence.
.Pp
The last use of the
.Nm
interface is to allow an administrator to see outgoing packets before
they have been processed by
.Xr ipsec 4 ,
or incoming packets after they have been similarly processed, via
.Xr tcpdump 1 .
.Pp
The
.Dq enc0
interface inherits all the IPsec traffic that does not have another
.Nm
interface explicitly assigned to it. Thus, if one were never to assign
an IPsec SA to another
.Nm
interface, all IPsec traffic could be filtered based on
.Dq enc0 ,
and all IPsec traffic could be seen by invoking
.Xr tcpdump 1
on the
.Dq enc0
interface. IPsec SAs that have been assigned to some other
.Nm
interface can be snooped via
.Xr tcpdump 1
or filtered via
.Xr ipf 5
through that
.Nm
interface.
.Sh EXAMPLES
To see all outgoing packets before they have been processed via
.Xr ipsec 4 ,
or all incoming packets after they have been similarly processed:
.Bd -literal
#> ifconfig enc0 up
#> tcpdump -i enc0
.Ed
.Sh SEE ALSO
.Xr tcpdump 1 ,
.Xr bpf 4 ,
.Xr inet 4 ,
.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr ipf 5 ,
.Xr vpn 8
.Sh BUGS
The
.Cm PROMISC
flag is not cleared on the enc0 interface after
.Xr tcpdump
is stopped.