Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 15.0-CURRENT FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.2-STABLE FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 13.0 unstable Debian 12.11.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 15.5.0 macOS 14.7.5 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

IPSEC(4)		    Kernel Interfaces Manual		      IPSEC(4)

NAME
       ipsec --	Internet Protocol Security protocol

SYNOPSIS
       options IPSEC
       options IPSEC_SUPPORT
       device crypto

       #include	<sys/types.h>
       #include	<netinet/in.h>
       #include	<netipsec/ipsec.h>
       #include	<netipsec/ipsec6.h>

DESCRIPTION
       ipsec  is  a security protocol implemented within the Internet Protocol
       layer of	the networking stack.  ipsec is	defined	for both IPv4 and IPv6
       (inet(4)	and inet6(4)).	ipsec is a set of protocols, ESP (for Encapsu-
       lating Security Payload)	AH (for	 Authentication	 Header),  and	IPComp
       (for  IP	 Payload  Compression Protocol)	that provide security services
       for IP datagrams.  AH both authenticates	and guarantees	the  integrity
       of  an  IP  packet by attaching a cryptographic checksum	computed using
       one-way hash functions.	ESP, in	addition, prevents  unauthorized  par-
       ties  from  reading  the	payload	of an IP packet	by also	encrypting it.
       IPComp tries to increase	communication performance  by  compressing  IP
       payload,	 thus  reducing	the amount of data sent.  This will help nodes
       on slow links but with enough computing power.  ipsec operates  in  one
       of two modes: transport mode or tunnel mode.  Transport mode is used to
       protect	peer-to-peer communication between end nodes.  Tunnel mode en-
       capsulates IP packets within other IP packets and is designed for secu-
       rity gateways such as VPN endpoints.

       System configuration requires the crypto(4) subsystem.

       The packets can be passed to a virtual  enc(4)  interface,  to  perform
       packet filtering	before outbound	encryption and after decapsulation in-
       bound.

       To  properly  filter on the inner packets of an ipsec tunnel with fire-
       walls, you can change the values	of the following sysctls

       Name				Default	   Enable
       net.inet.ipsec.filtertunnel	0	   1
       net.inet6.ipsec6.filtertunnel	0	   1

   Kernel interface
       ipsec is	controlled by a	key management and policy engine, that	reside
       in the operating	system kernel.	Key management is the process of asso-
       ciating keys with security associations,	also know as SAs.  Policy man-
       agement dictates	when new security associations created or destroyed.

       The key management engine can be	accessed from userland by using	PF_KEY
       sockets.	 The PF_KEY socket API is defined in RFC2367.

       The  policy  engine  is	controlled  by an extension to the PF_KEY API,
       setsockopt(2) operations, and sysctl(3) interface.  The	kernel	imple-
       ments  an  extended version of the PF_KEY interface and allows the pro-
       grammer to define IPsec policies	which are similar  to  the  per-packet
       filters.	  The setsockopt(2) interface is used to define	per-socket be-
       havior, and sysctl(3) interface is used to define host-wide default be-
       havior.

       The kernel code does not	implement a dynamic  encryption	 key  exchange
       protocol	 such  as IKE (Internet	Key Exchange).	Key exchange protocols
       are beyond what is necessary in the kernel and should be	implemented as
       daemon processes	which call the APIs.

   Policy management
       IPsec policies can be managed in	one of two ways, either	by configuring
       per-socket policies using the setsockopt(2) system calls, or by config-
       uring kernel level packet filter-based policies using the PF_KEY	inter-
       face, via the setkey(8) you can define IPsec policies  against  packets
       using  rules  similar to	packet filtering rules.	 Refer to setkey(8) on
       how to use it.

       Depending on the	socket's address family,  IPPROTO_IP  or  IPPROTO_IPV6
       transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY	socket options
       may  be	used  to  configure per-socket security	policies.  A properly-
       formed IPsec  policy  specification  structure  can  be	created	 using
       ipsec_set_policy(3)  function  and  used	as socket option value for the
       setsockopt(2) call.

       When setting policies using the setkey(8) command, the "default"	option
       instructs the system to use its default policy, as explained below, for
       processing packets.  The	following sysctl variables are	available  for
       configuring the system's	IPsec behavior.	 The variables can have	one of
       two  values.   A	1 means	"use", which means that	if there is a security
       association then	use it but if there is not then	the  packets  are  not
       processed  by  IPsec.   The value 2 is synonymous with "require", which
       requires	that a security	association must  exist	 for  the  packets  to
       move,   and   not   be	dropped.    These   terms   are	  defined   in
       ipsec_set_policy(8).

       Name				    Type	  Changeable
       net.inet.ipsec.esp_trans_deflev	    integer	  yes
       net.inet.ipsec.esp_net_deflev	    integer	  yes
       net.inet.ipsec.ah_trans_deflev	    integer	  yes
       net.inet.ipsec.ah_net_deflev	    integer	  yes
       net.inet6.ipsec6.esp_trans_deflev    integer	  yes
       net.inet6.ipsec6.esp_net_deflev	    integer	  yes
       net.inet6.ipsec6.ah_trans_deflev	    integer	  yes
       net.inet6.ipsec6.ah_net_deflev	    integer	  yes

       If the kernel does not find a matching, system wide,  policy  then  the
       default	value is applied.  The system wide default policy is specified
       by the following	sysctl(8) variables.  0	means "discard"	which asks the
       kernel to drop the packet.  1 means "none".

       Name			      Type	    Changeable
       net.inet.ipsec.def_policy      integer	    yes
       net.inet6.ipsec6.def_policy    integer	    yes

   Miscellaneous sysctl	variables
       When the	ipsec protocols	are configured for use,	all protocols are  in-
       cluded  in  the	system.	  To selectively enable/disable	protocols, use
       sysctl(8).

       Name				Default
       net.inet.esp.esp_enable		On
       net.inet.ah.ah_enable		On
       net.inet.ipcomp.ipcomp_enable	On

       In addition the following variables are accessible via  sysctl(8),  for
       tweaking	the kernel's IPsec behavior:

       Name				    Type	  Changeable
       net.inet.ipsec.ah_cleartos	    integer	  yes
       net.inet.ipsec.ah_offsetmask	    integer	  yes
       net.inet.ipsec.dfbit		    integer	  yes
       net.inet.ipsec.ecn		    integer	  yes
       net.inet.ipsec.debug		    integer	  yes
       net.inet.ipsec.natt_cksum_policy	    integer	  yes
       net.inet.ipsec.check_policy_history  integer	  yes
       net.inet6.ipsec6.ecn		    integer	  yes
       net.inet6.ipsec6.debug		    integer	  yes

       The variables are interpreted as	follows:

       ipsec.ah_cleartos
	       If set to non-zero, the kernel clears the type-of-service field
	       in  the	IPv4 header during AH authentication data computation.
	       This variable is	used to	get current systems  to	 inter-operate
	       with  devices  that  implement RFC1826 AH.  It should be	set to
	       non-zero	(clear the type-of-service field) for RFC2402  confor-
	       mance.

       ipsec.ah_offsetmask
	       During  AH authentication data computation, the kernel will in-
	       clude a 16bit fragment offset field (including  flag  bits)  in
	       the IPv4	header,	after computing	logical	AND with the variable.
	       The  variable is	used for inter-operating with devices that im-
	       plement RFC1826 AH.  It should be set to	zero (clear the	 frag-
	       ment offset field during	computation) for RFC2402 conformance.

       ipsec.dfbit
	       This variable configures	the kernel behavior on IPv4 IPsec tun-
	       nel  encapsulation.   If	set to 0, the DF bit on	the outer IPv4
	       header will be cleared while 1 means that the outer DF  bit  is
	       set  regardless	from the inner DF bit and 2 indicates that the
	       DF bit is copied	from the inner header to the outer  one.   The
	       variable	is supplied to conform to RFC2401 chapter 6.1.

       ipsec.ecn
	       If  set to non-zero, IPv4 IPsec tunnel encapsulation/decapsula-
	       tion behavior will be friendly to ECN (explicit congestion  no-
	       tification),   as  documented  in  draft-ietf-ipsec-ecn-02.txt.
	       gif(4) talks more about the behavior.

       ipsec.debug
	       If set to  non-zero,  debug  messages  will  be	generated  via
	       syslog(3).

       ipsec.natt_cksum_policy
	       Controls	 how the kernel	handles	TCP and	UDP checksums when ESP
	       in UDP encapsulation is used for	IPsec transport	mode.  If  set
	       to  a non-zero value, the kernel	fully recomputes checksums for
	       inbound TCP segments and	UDP datagrams after they are  decapsu-
	       lated  and  decrypted.  If set to 0 and original	addresses were
	       configured for corresponding SA by the IKE daemon,  the	kernel
	       incrementally recomputes	checksums for inbound TCP segments and
	       UDP datagrams.  If addresses were not configured, the checksums
	       are ignored.

       ipsec.check_policy_history
	       Enables	strict	policy	checking  for inbound packets.	By de-
	       fault, inbound security policies	check that packets handled  by
	       IPsec  have been	decrypted and authenticated.  If this variable
	       is set to a non-zero value, each	packet	handled	 by  IPsec  is
	       checked	against	 the  history  of IPsec	security associations.
	       The IPsec security protocol, mode, and SA addresses must	match.

       Variables under the net.inet6.ipsec6  tree  have	 similar  meanings  to
       those described above.

PROTOCOLS
       The ipsec protocol acts as a plug-in to the inet(4) and inet6(4)	proto-
       cols  and  therefore  supports most of the protocols defined upon those
       IP-layer	protocols.  The	icmp(4)	and icmp6(4) protocols may behave dif-
       ferently	with ipsec because ipsec can prevent icmp(4) or	icmp6(4)  rou-
       tines from looking into the IP payload.

SEE ALSO
       ioctl(2),    socket(2),	  ipsec_set_policy(3),	  crypto(4),   enc(4),
       if_ipsec(4), icmp6(4), intro(4),	ip6(4),	setkey(8), sysctl(8)

       S. Kent and R. Atkinson,	IP Authentication Header, RFC 2404.

       S. Kent and R. Atkinson,	IP Encapsulating Security Payload  (ESP),  RFC
       2406.

STANDARDS
       Daniel  L. McDonald, Craig Metz,	and Bao	G. Phan, PF_KEY	Key Management
       API, Version 2, RFC, 2367.

       D. L. McDonald, A Simple	IP Security  API  Extension  to	 BSD  Sockets,
       internet	  draft,   draft-mcdonald-simple-ipsec-api-03.txt,   work   in
       progress	material.

HISTORY
       The original ipsec implementation appeared in the WIDE/KAME  IPv6/IPsec
       stack.

       For  FreeBSD  5.0 a fully locked	IPsec implementation called fast_ipsec
       was brought in.	The protocols drew heavily on the OpenBSD  implementa-
       tion  of	 the  IPsec protocols.	The policy management code was derived
       from the	KAME implementation  found  in	their  IPsec  protocols.   The
       fast_ipsec  implementation  lacked  ip6(4)  support but made use	of the
       crypto(4) subsystem.

       For FreeBSD 7.0 ip6(4) support was added	to fast_ipsec.	After this the
       old KAME	IPsec implementation was dropped and  fast_ipsec  became  what
       now is the only ipsec implementation in FreeBSD.

BUGS
       There  is  no  single standard for the policy engine API, so the	policy
       engine API described herein is just for this implementation.

       AH and tunnel mode encapsulation	may not	work as	you might expect.   If
       you  configure  inbound "require" policy	with an	AH tunnel or any IPsec
       encapsulating	policy	  with	  AH	 (like	   "esp/tunnel/A-B/use
       ah/transport/A-B/require"),  tunnelled  packets will be rejected.  This
       is because the policy check is enforced on the inner packet  on	recep-
       tion, and AH authenticates encapsulating	(outer)	packet,	not the	encap-
       sulated (inner) packet (so for the receiving kernel there is no sign of
       authenticity).	The issue will be solved when we revamp	our policy en-
       gine to keep all	the packet decapsulation history.

       When a large database of	security associations or policies  is  present
       in the kernel the SADB_DUMP and SADB_SPDDUMP operations on PF_KEY sock-
       ets  may	 fail due to lack of space.  Increasing	the socket buffer size
       may alleviate this problem.

       The IPcomp protocol may occasionally error because of zlib(3) problems.

       This documentation needs	more review.

FreeBSD	13.2		       February	6, 2017			      IPSEC(4)

---

NAME | SYNOPSIS | DESCRIPTION | PROTOCOLS | SEE ALSO | STANDARDS | HISTORY | BUGS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipsec&sektion=4&manpath=FreeBSD+14.2-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact