1.\" $OpenBSD: enc.4,v 1.30 2020/02/15 22:19:51 kn Exp $ 2.\" 3.\" Copyright (c) 2006 Jason McIntyre <jmc@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: February 15 2020 $ 18.Dt ENC 4 19.Os 20.Sh NAME 21.Nm enc 22.Nd encapsulating interface 23.Sh SYNOPSIS 24.Cd "pseudo-device enc" 25.Sh DESCRIPTION 26The 27.Nm 28interface is a virtual interface for 29.Xr ipsec 4 30traffic. 31It allows packet filtering using 32.Xr pf 4 ; 33prior to encapsulation and after decapsulation, 34packets may be monitored using 35.Xr tcpdump 8 . 36.Pp 37An 38.Nm 39interface can be created at runtime using the 40.Ic ifconfig enc Ns Ar N Ic create 41command or by setting up a 42.Xr hostname.if 5 43configuration file for 44.Xr netstart 8 . 45The 46.Nm enc0 47interface will always exist and cannot be destroyed using 48.Xr ifconfig 8 . 49.Pp 50Packet filtering is documented in greater detail in 51.Xr pf.conf 5 , 52however some details relevant to filtering on the 53.Nm 54interface are documented below. 55.Pp 56Firstly, 57.Xr pf 4 58is a stateful packet filter, 59which means it can track the state of a connection. 60It does this 61.Em automatically . 62States are normally 63.Em floating , 64which means they can match packets on any interface. 65However this is a potential problem for filtering IPsec traffic: 66states need to be interface bound, 67to avoid permitting unencrypted traffic 68should the SAs expire and not be replaced. 69Therefore all rules on the 70.Nm 71interface should explicitly set 72.Dq keep state (if-bound) . 73For example: 74.Bd -literal -offset indent 75pass in on enc0 proto ipencap from 172.25.0.45 to 1.2.3.4 \e 76 keep state (if-bound) 77.Ed 78.Pp 79Secondly, the 80.Nm 81interface does not directly support bandwidth control via 82.Xr pf 4 83queueing. 84Instead, IPsec packets must be tagged and the tagged packets 85are assigned to queues. 86.Xr ipsec.conf 5 87provides an example of tag-based queueing 88and further information on packet tagging. 89.Pp 90Finally, 91the use of translation rules to map and redirect network traffic 92requires some care. 93Packets destined to be IPsec processed are seen by the 94filter/translation engine twice, 95both before and after being IPsec processed. 96If a packet's translated address 97on the way back fails to match an existing IPsec flow, 98from the translated address to the original source address, 99it will be discarded by the filter. 100It is best to avoid this situation where possible, 101though a flow may be explicitly created to work around it. 102.Pp 103As noted above, 104.Xr tcpdump 8 105may be invoked on the 106.Nm 107interface to see packets prior to encapsulation and after decapsulation. 108For example: 109.Bd -literal -offset 3n 110# tcpdump -envps 1500 -i enc0 -l | grep 10.0.0.33 111tcpdump: listening on enc0, link-type ENC 11215:05:08.934708 (authentic,confidential): SPI 0x6bcac587: \e 113 172.25.0.45 > 1.2.3.4: 10.9.9.28.7001 > 10.0.0.33.7000: \e 114 [udp sum ok] udp 52 (ttl 64, id 5672, len 80) \e 115 (ttl 64, id 30009, len 100, bad cksum 0!) 11615:05:09.063517 (authentic,confidential): SPI 0x4b70c05a: \e 117 1.2.3.4 > 172.25.0.45: 10.0.0.33.7000 > 10.9.9.28.7001: \e 118 [udp sum ok] udp 156 (ttl 63, id 14880, len 184) \e 119 (ttl 51, id 19689, len 204) 120.Ed 121.Pp 122The packets above show (for each direction): 123date, ESP (not AH), SPI, direction, and encapsulated part. 124The first packet is headed from 172.25.0.45 to 1.2.3.4 125and the encapsulated part from 10.9.9.28 to 10.0.0.33. 126.Pp 127Negotiations can be watched on the physical interface too: 128.Bd -literal -offset 3n 129# tcpdump -envps 1500 -i wi0 port 500 or port 4500 130tcpdump: listening on wi0, link-type EN10MB 13115:15:58.188747 0:2:6f:3a:3f:3e 0:10:f3:3:bd:8a 0800 226: \e 132 172.25.0.45.500 > 1.2.3.4.500: [udp sum ok] \e 133[...] 134 attribute ENCRYPTION_ALGORITHM = AES_CBC 135 attribute HASH_ALGORITHM = SHA 136 attribute AUTHENTICATION_METHOD = RSA_SIG 137 attribute GROUP_DESCRIPTION = MODP_1024 138 attribute LIFE_TYPE = SECONDS 139 attribute LIFE_DURATION = 3600 140 attribute KEY_LENGTH = 128 141[...] 14215:15:59.080058 0:10:f3:3:bd:8a 0:2:6f:3a:3f:3e 0800 226: \e 143 1.2.3.4.500 > 172.25.0.45.500: [udp sum ok] \e 144[...] 145 attribute ENCRYPTION_ALGORITHM = AES_CBC 146 attribute HASH_ALGORITHM = SHA 147 attribute AUTHENTICATION_METHOD = RSA_SIG 148 attribute GROUP_DESCRIPTION = MODP_1024 149 attribute LIFE_TYPE = SECONDS 150 attribute LIFE_DURATION = 3600 151 attribute KEY_LENGTH = 128 152[...] 153.Ed 154.Pp 155The attribute lines for the negotiation must match. 156.Sh SEE ALSO 157.Xr ipsec 4 , 158.Xr pf 4 , 159.Xr ipsec.conf 5 , 160.Xr pf.conf 5 , 161.Xr tcpdump 8 162