1.\" $OpenBSD: enc.4,v 1.27 2009/01/28 21:00:32 grunk Exp $ 2.\" 3.\" Copyright (c) 2006 Jason McIntyre <jmc@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: January 28 2009 $ 18.Dt ENC 4 19.Os 20.Sh NAME 21.Nm enc 22.Nd encapsulating interface 23.Sh SYNOPSIS 24.Cd "pseudo-device enc 1" 25.Sh DESCRIPTION 26The 27.Nm 28interface is a virtual interface for 29.Xr ipsec 4 30traffic. 31It allows packet filtering using 32.Xr pf 4 ; 33prior to encapsulation and after decapsulation, 34packets may be monitored using 35.Xr tcpdump 8 . 36Only one 37.Nm 38interface, enc0, is supported. 39.Pp 40Packet filtering is documented in greater detail in 41.Xr pf.conf 5 , 42however some details relevant to filtering on the 43.Nm 44interface are documented below. 45.Pp 46Firstly, 47.Xr pf 4 48is a stateful packet filter, 49which means it can track the state of a connection. 50It does this 51.Em automatically . 52States are normally 53.Em floating , 54which means they can match packets on any interface. 55However this is a potential problem for filtering IPsec traffic: 56states need to be interface bound, 57to avoid permitting unencrypted traffic 58should the SAs expire and not be replaced. 59Therefore all rules on the 60.Nm 61interface should explicitly set 62.Dq keep state (if-bound) . 63For example: 64.Bd -literal -offset indent 65pass in on enc0 proto ipencap from 172.25.0.45 to 1.2.3.4 \e 66 keep state (if-bound) 67.Ed 68.Pp 69Secondly, the 70.Nm 71interface does not directly support bandwidth control via 72.Xr pf 4 73queueing. 74Instead, IPsec packets must be tagged and the tagged packets 75are assigned to queues. 76.Xr ipsec.conf 5 77provides an example of tag-based queueing 78and further information on packet tagging. 79.Pp 80Finally, 81the use of translation rules to map and redirect network traffic 82requires some care. 83Packets destined to be IPsec processed are seen by the 84filter/translation engine twice, 85both before and after being IPsec processed. 86If a packet's translated address 87on the way back fails to match an existing IPsec flow, 88from the translated address to the original source address, 89it will be discarded by the filter. 90It is best to avoid this situation where possible, 91though a flow may be explicitly created to work around it. 92.Pp 93As noted above, 94.Xr tcpdump 8 95may be invoked on the 96.Nm 97interface to see packets prior to encapsulation and after decapsulation. 98For example: 99.Bd -literal -offset 3n 100# tcpdump -envps 1500 -i enc0 -l | grep 10.0.0.33 101tcpdump: WARNING: enc0: no IPv4 address assigned 102tcpdump: listening on enc0, link-type ENC 10315:05:08.934708 (authentic,confidential): SPI 0x6bcac587: \e 104 172.25.0.45 \*(Gt 1.2.3.4: 10.9.9.28.7001 \*(Gt 10.0.0.33.7000: \e 105 [udp sum ok] udp 52 (ttl 64, id 5672, len 80) \e 106 (ttl 64, id 30009, len 100, bad cksum 0!) 10715:05:09.063517 (authentic,confidential): SPI 0x4b70c05a: \e 108 1.2.3.4 \*(Gt 172.25.0.45: 10.0.0.33.7000 \*(Gt 10.9.9.28.7001: \e 109 [udp sum ok] udp 156 (ttl 63, id 14880, len 184) \e 110 (ttl 51, id 19689, len 204) 111.Ed 112.Pp 113The packets above show (for each direction): 114date, ESP (not AH), SPI, direction, and encapsulated part. 115The first packet is headed from 172.25.0.45 to 1.2.3.4 116and the encapsulated part from 10.9.9.28 to 10.0.0.33. 117.Pp 118Negotiations can be watched on the physical interface too: 119.Bd -literal -offset 3n 120# tcpdump -envps 1500 -i wi0 port 500 or port 4500 121tcpdump: listening on wi0, link-type EN10MB 12215:15:58.188747 0:2:6f:3a:3f:3e 0:10:f3:3:bd:8a 0800 226: \e 123 172.25.0.45.500 \*(Gt 1.2.3.4.500: [udp sum ok] \e 124[...] 125 attribute ENCRYPTION_ALGORITHM = AES_CBC 126 attribute HASH_ALGORITHM = SHA 127 attribute AUTHENTICATION_METHOD = RSA_SIG 128 attribute GROUP_DESCRIPTION = MODP_1024 129 attribute LIFE_TYPE = SECONDS 130 attribute LIFE_DURATION = 3600 131 attribute KEY_LENGTH = 128 132[...] 13315:15:59.080058 0:10:f3:3:bd:8a 0:2:6f:3a:3f:3e 0800 226: \e 134 1.2.3.4.500 \*(Gt 172.25.0.45.500: [udp sum ok] \e 135[...] 136 attribute ENCRYPTION_ALGORITHM = AES_CBC 137 attribute HASH_ALGORITHM = SHA 138 attribute AUTHENTICATION_METHOD = RSA_SIG 139 attribute GROUP_DESCRIPTION = MODP_1024 140 attribute LIFE_TYPE = SECONDS 141 attribute LIFE_DURATION = 3600 142 attribute KEY_LENGTH = 128 143[...] 144.Ed 145.Pp 146The attribute lines for the negotiation must match. 147.Sh SEE ALSO 148.Xr ipsec 4 , 149.Xr pf 4 , 150.Xr ipsec.conf 5 , 151.Xr pf.conf 5 , 152.Xr tcpdump 8 153