1.\" $OpenBSD: sec.4,v 1.6 2024/09/20 01:15:53 dlg Exp $ 2.\" 3.\" Copyright (c) 2023 David Gwynne <dlg@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: September 20 2024 $ 18.Dt SEC 4 19.Os 20.Sh NAME 21.Nm sec 22.Nd route based IPsec VPN tunnel interface pseudo-device 23.Sh SYNOPSIS 24.Cd "pseudo-device sec" 25.Sh DESCRIPTION 26The 27.Nm 28driver provides point-to-point tunnel interfaces for IPv4 and IPv6 29protected by the 30.Xr ipsec 4 31Encapsulating Security Payload (ESP) 32protocol. 33.Pp 34Traffic is encapsulated in the ESP protocol and forwarded to the 35remote endpoint by routing over a 36.Nm 37interface rather than matching policy in the IPsec Security Policy 38Database (SPD). 39.Nm 40interfaces require the configuration of IPsec Security Associations (SAs) 41.\" with the interface extension 42between the local and remote endpoints. 43Negotiation of interface SAs is supported by 44.Xr iked 8 45and 46.Xr isakmpd 8 47(the latter via 48.Xr ipsecctl 8 ) . 49.\" These IPsec IKE daemons negotiate ESP tunnel mode between 0.0.0.0/0 50.\" and 0.0.0.0/0. 51.Pp 52.Nm 53interfaces can be created at runtime using the 54.Ic ifconfig sec Ns Ar N Ic create 55command or by setting up a 56.Xr hostname.if 5 57configuration file for 58.Xr netstart 8 . 59The interface itself can be configured with 60.Xr ifconfig 8 ; 61see its manual page for more information. 62.Sh EXAMPLES 63.Nm 64can be used to provide secure and confidential IP connectivity 65between sites over the public internet. 66For example, a cloud provider may provide connectivity between 67networks they host for a customer, and that customers own 68.Dq on premises 69networks using IPsec tunnels. 70.Ox 71can be set up on the customer side given the following parameters: 72.Pp 73.Bl -tag -width Customer-Gateway -offset indent -compact 74.It Pre-Shared Key 757kA7evdkd50Q5YdCCF9t8eftgEgL4vk2 76.El 77.Pp 78Outside IP Addresses: 79.Bl -tag -width Customer-Gateway -offset indent -compact 80.It Customer Gateway 81192.0.2.8 82.It Provider Gateway 83198.51.100.14 84.El 85.Pp 86Inside IP Addresses: 87.Bl -tag -width Customer-Gateway -offset indent -compact 88.It Customer Gateway 89169.254.229.42/30 90.It Provider Gateway 91169.254.229.41/30 92.El 93.Pp 94A 95.Nm 96interface can be configured on the customer gateway: 97.Bd -literal -offset indent 98# ifconfig sec0 create 99# ifconfig sec0 inet 169.254.229.42/30 169.254.229.41 100# ifconfig sec0 up 101.Ed 102.Pp 103.Xr iked 8 104can be used for IKEv2 negotiation of the IPsec tunnel with the following 105.Xr iked.conf 5 106configuration: 107.Bd -literal -offset indent 108ikev2 "s2s" active \\ 109 from any to any \\ 110 local 192.0.2.8 peer 198.51.100.14 \\ 111 psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2" \\ 112 iface sec0 113.Ed 114.Pp 115Alternatively, IKEv1 negotiation of the IPsec tunnel SAs is supported by 116.Xr isakmpd 8 117and 118.Xr ipsecctl 8 . 119The equivalent 120.Xr ipsec.conf 5 121configuration for the given parameters follows: 122.Bd -literal -offset indent 123ike interface sec0 \\ 124 local 192.0.2.8 peer 198.51.100.14 \\ 125 psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2" 126.Ed 127.Pp 128Once the Security Associations are established, communication between 129the customer and provider gateways is enabled. 130.Pp 131Routes to networks hosted by the provider can be added using the 132providers 133.Dq inside IP 134address as the gateway address, or negotiated using a dynamic routing 135protocol. 136Multiple 137.Nm 138interfaces may be configured to talk to separate provider gateways, 139providing redundancy or multiple paths between sites. 140.Sh SEE ALSO 141.Xr ipsec 4 , 142.Xr netintro 4 , 143.Xr hostname.if 5 , 144.Xr pf.conf 5 , 145.Xr ifconfig 8 , 146.Xr iked 8 , 147.Xr ipsecctl 8 , 148.Xr isakmpd 8 , 149.Xr netstart 8 150.Sh HISTORY 151The 152.Nm 153driver first appeared in 154.Ox 7.4 . 155.Sh AUTHORS 156.An David Gwynne Aq Mt dlg@openbsd.org . 157