Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-RELEASE FreeBSD 15.0-RELEASE and Ports FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 15.0 FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.1.0 Debian 12.12.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.0 macOS 15.7 macOS 14.8 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.7 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.3 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.2 NetBSD 7.1.2 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.2.3 NetBSD 5.2 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.8 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

IPSEC(4)		    Kernel Interfaces Manual		      IPSEC(4)

NAME
       ipsec --	Internet Protocol Security protocol

SYNOPSIS
       options IPSEC
       options IPSEC_SUPPORT
       device crypto

       #include	<sys/types.h>
       #include	<netinet/in.h>
       #include	<netipsec/ipsec.h>
       #include	<netipsec/ipsec6.h>

DESCRIPTION
       ipsec  is  a security protocol implemented within the Internet Protocol
       layer of	the networking stack.  ipsec is	defined	for both IPv4 and IPv6
       (inet(4)	and inet6(4)).	ipsec is a set of protocols, ESP (for Encapsu-
       lating Security Payload)	AH (for	 Authentication	 Header),  and	IPComp
       (for  IP	 Payload  Compression Protocol)	that provide security services
       for IP datagrams.  AH both authenticates	and guarantees	the  integrity
       of  an  IP  packet by attaching a cryptographic checksum	computed using
       one-way hash functions.	ESP, in	addition, prevents  unauthorized  par-
       ties  from  reading  the	payload	of an IP packet	by also	encrypting it.
       IPComp tries to increase	communication performance  by  compressing  IP
       payload,	 thus  reducing	the amount of data sent.  This will help nodes
       on slow links but with enough computing power.  ipsec operates  in  one
       of two modes: transport mode or tunnel mode.  Transport mode is used to
       protect	peer-to-peer communication between end nodes.  Tunnel mode en-
       capsulates IP packets within other IP packets and is designed for secu-
       rity gateways such as VPN endpoints.

       System configuration requires the crypto(4) subsystem.

       The packets can be passed to a virtual  enc(4)  interface,  to  perform
       packet filtering	before outbound	encryption and after decapsulation in-
       bound.

       To  properly  filter on the inner packets of an ipsec tunnel with fire-
       walls, you can change the values	of the following sysctls

       Name				Default	   Enable
       net.inet.ipsec.filtertunnel	0	   1
       net.inet6.ipsec6.filtertunnel	0	   1

   Kernel interface
       ipsec is	controlled by a	key management and policy engine, that	reside
       in the operating	system kernel.	Key management is the process of asso-
       ciating keys with security associations,	also know as SAs.  Policy man-
       agement dictates	when new security associations created or destroyed.

       The key management engine can be	accessed from userland by using	PF_KEY
       sockets.	 The PF_KEY socket API is defined in RFC2367.

       The  policy  engine  is	controlled  by an extension to the PF_KEY API,
       setsockopt(2) operations, and sysctl(3) interface.  The	kernel	imple-
       ments  an  extended version of the PF_KEY interface and allows the pro-
       grammer to define IPsec policies	which are similar  to  the  per-packet
       filters.	  The setsockopt(2) interface is used to define	per-socket be-
       havior, and sysctl(3) interface is used to define host-wide default be-
       havior.

       The kernel code does not	implement a dynamic  encryption	 key  exchange
       protocol	 such  as IKE (Internet	Key Exchange).	Key exchange protocols
       are beyond what is necessary in the kernel and should be	implemented as
       daemon processes	which call the APIs.

   Policy management
       IPsec policies can be managed in	one of two ways, either	by configuring
       per-socket policies using the setsockopt(2) system calls, or by config-
       uring kernel level packet filter-based policies using the PF_KEY	inter-
       face, via the setkey(8) you can define IPsec policies  against  packets
       using  rules  similar to	packet filtering rules.	 Refer to setkey(8) on
       how to use it.

       Depending on the	socket's address family,  IPPROTO_IP  or  IPPROTO_IPV6
       transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY	socket options
       may  be	used  to  configure per-socket security	policies.  A properly-
       formed IPsec  policy  specification  structure  can  be	created	 using
       ipsec_set_policy(3)  function  and  used	as socket option value for the
       setsockopt(2) call.

       When setting policies using the setkey(8) command, the "default"	option
       instructs the system to use its default policy, as explained below, for
       processing packets.  The	following sysctl variables are	available  for
       configuring the system's	IPsec behavior.	 The variables can have	one of
       two  values.   A	1 means	"use", which means that	if there is a security
       association then	use it but if there is not then	the  packets  are  not
       processed  by  IPsec.   The value 2 is synonymous with "require", which
       requires	that a security	association must  exist	 for  the  packets  to
       move,   and   not   be	dropped.    These   terms   are	  defined   in
       ipsec_set_policy(3).

       Name				    Type	  Changeable
       net.inet.ipsec.esp_trans_deflev	    integer	  yes
       net.inet.ipsec.esp_net_deflev	    integer	  yes
       net.inet.ipsec.ah_trans_deflev	    integer	  yes
       net.inet.ipsec.ah_net_deflev	    integer	  yes
       net.inet6.ipsec6.esp_trans_deflev    integer	  yes
       net.inet6.ipsec6.esp_net_deflev	    integer	  yes
       net.inet6.ipsec6.ah_trans_deflev	    integer	  yes
       net.inet6.ipsec6.ah_net_deflev	    integer	  yes

       If the kernel does not find a matching, system wide,  policy  then  the
       default	value is applied.  The system wide default policy is specified
       by the following	sysctl(8) variables.  0	means "discard"	which asks the
       kernel to drop the packet.  1 means "none".

       Name			      Type	    Changeable
       net.inet.ipsec.def_policy      integer	    yes
       net.inet6.ipsec6.def_policy    integer	    yes

   Miscellaneous sysctl	variables
       When the	ipsec protocols	are configured for use,	all protocols are  in-
       cluded  in  the	system.	  To selectively enable/disable	protocols, use
       sysctl(8).

       Name				Default
       net.inet.esp.esp_enable		On
       net.inet.ah.ah_enable		On
       net.inet.ipcomp.ipcomp_enable	On

       In addition the following variables are accessible via  sysctl(8),  for
       tweaking	the kernel's IPsec behavior:

       Name				    Type	  Changeable
       net.inet.ipsec.ah_cleartos	    integer	  yes
       net.inet.ipsec.ah_offsetmask	    integer	  yes
       net.inet.ipsec.dfbit		    integer	  yes
       net.inet.ipsec.ecn		    integer	  yes
       net.inet.ipsec.debug		    integer	  yes
       net.inet.ipsec.natt_cksum_policy	    integer	  yes
       net.inet.ipsec.check_policy_history  integer	  yes
       net.inet.ipsec.random_id				  integeryes
       net.inet6.ipsec6.ecn		    integer	  yes
       net.inet6.ipsec6.debug		    integer	  yes

       The variables are interpreted as	follows:

       ipsec.ah_cleartos
	       If set to non-zero, the kernel clears the type-of-service field
	       in  the	IPv4 header during AH authentication data computation.
	       This variable is	used to	get current systems  to	 inter-operate
	       with  devices  that  implement RFC1826 AH.  It should be	set to
	       non-zero	(clear the type-of-service field) for RFC2402  confor-
	       mance.

       ipsec.ah_offsetmask
	       During  AH authentication data computation, the kernel will in-
	       clude a 16bit fragment offset field (including  flag  bits)  in
	       the IPv4	header,	after computing	logical	AND with the variable.
	       The  variable is	used for inter-operating with devices that im-
	       plement RFC1826 AH.  It should be set to	zero (clear the	 frag-
	       ment offset field during	computation) for RFC2402 conformance.

       ipsec.dfbit
	       This variable configures	the kernel behavior on IPv4 IPsec tun-
	       nel  encapsulation.   If	set to 0, the DF bit on	the outer IPv4
	       header will be cleared while 1 means that the outer DF  bit  is
	       set  regardless	from the inner DF bit and 2 indicates that the
	       DF bit is copied	from the inner header to the outer  one.   The
	       variable	is supplied to conform to RFC2401 chapter 6.1.

       ipsec.ecn
	       If  set to non-zero, IPv4 IPsec tunnel encapsulation/decapsula-
	       tion behavior will be friendly to ECN (explicit congestion  no-
	       tification),   as  documented  in  draft-ietf-ipsec-ecn-02.txt.
	       gif(4) talks more about the behavior.

       ipsec.debug
	       If set to  non-zero,  debug  messages  will  be	generated  via
	       syslog(3).

       ipsec.natt_cksum_policy
	       Controls	 how the kernel	handles	TCP and	UDP checksums when ESP
	       in UDP encapsulation is used for	IPsec transport	mode.  If  set
	       to  a non-zero value, the kernel	fully recomputes checksums for
	       inbound TCP segments and	UDP datagrams after they are  decapsu-
	       lated  and  decrypted.  If set to 0 and original	addresses were
	       configured for corresponding SA by the IKE daemon,  the	kernel
	       incrementally recomputes	checksums for inbound TCP segments and
	       UDP datagrams.  If addresses were not configured, the checksums
	       are ignored.

       ipsec.check_policy_history
	       Enables	strict	policy	checking  for inbound packets.	By de-
	       fault, inbound security policies	check that packets handled  by
	       IPsec  have been	decrypted and authenticated.  If this variable
	       is set to a non-zero value, each	packet	handled	 by  IPsec  is
	       checked	against	 the  history  of IPsec	security associations.
	       The IPsec security protocol, mode, and SA addresses must	match.

       ipsec.random_id
	       Enables randomization of	encapsulated IPv4 packets ID.  By  de-
	       fault, ID randomization is not enabled.

       Variables  under	 the  net.inet6.ipsec6	tree  have similar meanings to
       those described above.

PROTOCOLS
       The ipsec protocol acts as a plug-in to the inet(4) and inet6(4)	proto-
       cols and	therefore supports most	of the protocols  defined  upon	 those
       IP-layer	protocols.  The	icmp(4)	and icmp6(4) protocols may behave dif-
       ferently	 with ipsec because ipsec can prevent icmp(4) or icmp6(4) rou-
       tines from looking into the IP payload.

SEE ALSO
       ioctl(2), socket(2), ipsec_set_policy(3), crypto(4), enc(4),  icmp6(4),
       if_ipsec(4), intro(4), ip6(4), setkey(8), sysctl(8)

       S. Kent and R. Atkinson,	IP Authentication Header, RFC 2404.

       S.  Kent	 and R.	Atkinson, IP Encapsulating Security Payload (ESP), RFC
       2406.

STANDARDS
       Daniel L. McDonald, Craig Metz, and Bao G. Phan,	PF_KEY Key  Management
       API, Version 2, RFC, 2367.

       D.  L.  McDonald,  A  Simple  IP	Security API Extension to BSD Sockets,
       internet	  draft,   draft-mcdonald-simple-ipsec-api-03.txt,   work   in
       progress	material.

HISTORY
       The  original ipsec implementation appeared in the WIDE/KAME IPv6/IPsec
       stack.

       For FreeBSD 5.0 a fully locked IPsec implementation  called  fast_ipsec
       was  brought in.	 The protocols drew heavily on the OpenBSD implementa-
       tion of the IPsec protocols.  The policy	management  code  was  derived
       from  the  KAME	implementation	found  in  their IPsec protocols.  The
       fast_ipsec implementation lacked	ip6(4) support but  made  use  of  the
       crypto(4) subsystem.

       For FreeBSD 7.0 ip6(4) support was added	to fast_ipsec.	After this the
       old  KAME  IPsec	 implementation	was dropped and	fast_ipsec became what
       now is the only ipsec implementation in FreeBSD.

BUGS
       There is	no single standard for the policy engine API,  so  the	policy
       engine API described herein is just for this implementation.

       AH  and tunnel mode encapsulation may not work as you might expect.  If
       you configure inbound "require" policy with an AH tunnel	or  any	 IPsec
       encapsulating	 policy	    with    AH	  (like	   "esp/tunnel/A-B/use
       ah/transport/A-B/require"), tunnelled packets will be  rejected.	  This
       is  because  the	policy check is	enforced on the	inner packet on	recep-
       tion, and AH authenticates encapsulating	(outer)	packet,	not the	encap-
       sulated (inner) packet (so for the receiving kernel there is no sign of
       authenticity).  The issue will be solved	when we	revamp our policy  en-
       gine to keep all	the packet decapsulation history.

       When  a	large database of security associations	or policies is present
       in the kernel the SADB_DUMP and SADB_SPDDUMP operations on PF_KEY sock-
       ets may fail due	to lack	of space.  Increasing the socket  buffer  size
       may alleviate this problem.

       The IPcomp protocol may occasionally error because of zlib(3) problems.

       This documentation needs	more review.

FreeBSD	15.0			 March 4, 2025			      IPSEC(4)

---

NAME | SYNOPSIS | DESCRIPTION | PROTOCOLS | SEE ALSO | STANDARDS | HISTORY | BUGS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipsec&sektion=4&manpath=FreeBSD+15.0-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact