1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
.\" $OpenBSD: enc.4,v 1.10 2000/12/30 23:55:11 angelos Exp $
.\"
.Dd October 7, 1999
.Dt ENC 4
.Os
.Sh NAME
.Nm enc
.Nd Encapsulating Interface
.Sh SYNOPSIS
.Cd "pseudo-device enc 4"
.Sh DESCRIPTION
The
.Nm
interface is a software loopback mechanism that allows hosts or
firewalls to filter
.Xr ipsec 4
traffic using
.Xr ipf 5 .
The
.Xr vpn 8
manpage shows an example of such a setup.
.Pp
The other use of the
.Nm
interface is to allow an administrator to see outgoing packets before
they have been processed by
.Xr ipsec 4 ,
or incoming packets after they have been similarly processed, via
.Xr tcpdump 8 .
.Pp
The
.Dq enc0
interface inherits all the IPsec traffic that does not have another
.Nm
interface explicitly assigned to it. Thus, if one were never to assign
an IPsec SA to another
.Nm
interface, all IPsec traffic could be filtered based on
.Dq enc0 ,
and all IPsec traffic could be seen by invoking
.Xr tcpdump 8
on the
.Dq enc0
interface.
.Sh EXAMPLES
To see all outgoing packets before they have been processed via
.Xr ipsec 4 ,
or all incoming packets after they have been similarly processed:
.Bd -literal
#> ifconfig enc0 up
#> tcpdump -i enc0
.Ed
.Sh SEE ALSO
.Xr tcpdump 8 ,
.Xr bpf 4 ,
.Xr inet 4 ,
.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr ipf 5 ,
.Xr vpn 8
.Sh BUGS
The
.Cm PROMISC
flag is not cleared on the enc0 interface after
.Xr tcpdump 8
is stopped.
|
