1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
.\" $OpenBSD: enc.4,v 1.6 2000/04/08 18:49:28 angelos Exp $
.Dd October 7, 1999
.Dt ENC 4
.Os
.Sh NAME
.Nm enc
.Nd Encapsulating Interface
.Sh SYNOPSIS
.Cd "pseudo-device enc 4"
.Sh DESCRIPTION
The
.Nm
interface is a software loopback mechanism that allows hosts or
firewalls to filter
.Xr ipsec 4
traffic using
.Xr ipf 5 .
The
.Xr vpn 8
manpage shows an example of such a setup.
.Pp
Another use is to allow the creation of virtual-ethernets, using
.Xr ipsec 4 .
See
.Xr bridge 4
and
.Xr ipsecadm 8
for more details. Briefly,
.Nm
interfaces can be part of a bridge configuration.
Such interfaces are treated as ethernet interfaces; packets
sent to them by the bridge are IPsec-processed and sent to the
remote bridge (which reverses the process and injects the original
ethernet frames in the local ethernet segments).
Packets received with the appropriate IPsec SA are made to appear as if
they arrived over the corresponding
.Nm
interface, and are then processed by the bridge accordingly.
.Xr ifconfig 8
is used to associate an
.Nm
interface with an IPsec SA.
Note that the
.Dq enc0
interface may not be used in a bridge configuration.
.Pp
If the
.Dv IFF_LINK0
flag is set on an
.Nm
interface, IP-in-IP encapsulation (instead of Ethernet-in-IP) is
done.
Its use is currently experimental.
This flag should not be set when the interface is used in conjunction
with the bridge.
.Pp
The last use of the
.Nm
interface is to allow an administrator to see outgoing packets before
they have been processed by
.Xr ipsec 4 ,
or incoming packets after they have been similarly processed, via
.Xr tcpdump 1 .
.Pp
The
.Dq enc0
interface inherits all the IPsec traffic that does not have another
.Nm
interface explicitly assigned to it. Thus, if one were never to assign
an IPsec SA to another
.Nm
interface, all IPsec traffic could be filtered based on
.Dq enc0 ,
and all IPsec traffic could be seen by invoking
.Xr tcpdump 1
on the
.Dq enc0
interface.
IPsec SAs that have been assigned to some other
.Nm
interface can be snooped via
.Xr tcpdump 1
or filtered via
.Xr ipf 5
through that
.Nm
interface.
.Sh EXAMPLES
To see all outgoing packets before they have been processed via
.Xr ipsec 4 ,
or all incoming packets after they have been similarly processed:
.Bd -literal
#> ifconfig enc0 up
#> tcpdump -i enc0
.Ed
.Sh SEE ALSO
.Xr tcpdump 1 ,
.Xr bpf 4 ,
.Xr inet 4 ,
.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr ipf 5 ,
.Xr vpn 8
.Sh BUGS
The
.Cm PROMISC
flag is not cleared on the enc0 interface after
.Xr tcpdump
is stopped.
|