sec(4) to support route-based ipsec vpns.

committing it now so jmc@ gets commits for any fixes he makes.

diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 736dd76..755ac54 100644 (file)
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.843 2023/07/08 02:43:02 jcs Exp $
+#      $OpenBSD: Makefile,v 1.844 2023/08/07 03:17:42 dlg Exp $
 
 MAN=   aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \
        acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \
@@ -84,7 +84,7 @@ MAN=  aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \
        rkrng.4 rktcphy.4 rktemp.4 rkusbphy.4 rkvop.4 \
        rl.4 rlphy.4 route.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \
        safte.4 sbus.4 schsio.4 scmi.4 scsi.4 sd.4 \
-       sdmmc.4 sdhc.4 se.4 ses.4 sf.4 sili.4 \
+       sdmmc.4 sdhc.4 se.4 sec.4 ses.4 sf.4 sili.4 \
        simpleamp.4 simpleaudio.4 simplefb.4 simplepanel.4 siop.4 sis.4 sk.4 \
        sm.4 smsc.4 sncodec.4 \
        softraid.4 spdmem.4 sdtemp.4 speaker.4 sppp.4 sqphy.4 \

diff --git a/share/man/man4/sec.4 b/share/man/man4/sec.4
new file mode 100644 (file)
index 0000000..676e32f
--- /dev/null
+++ b/share/man/man4/sec.4
@@ -0,0 +1,75 @@
+.\" $OpenBSD: sec.4,v 1.1 2023/08/07 03:17:42 dlg Exp $
+.\"
+.\" Copyright (c) 2023 David Gwynne <dlg@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: August 7 2023 $
+.Dt SEC 4
+.Os
+.Sh NAME
+.Nm sec
+.Nd Route-based IPsec VPN tunnel interface pseudo-device
+.Sh SYNOPSIS
+.Cd "pseudo-device sec"
+.Sh DESCRIPTION
+The
+.Nm
+driver provides point-to-point tunnel interfaces for IPv4 and IPv6
+protected by the Encapsulating Security Payload (ESP)
+.Xr ipsec 4
+protocol.
+.Pp
+Traffic is encapsulated in the ESP protocol and forwarded to the
+remote endpoint by routing over an
+.Nm sec
+interface rather than matching policy in the IPsec Security Policy
+Database (SPD).
+.Nm
+interfaces require the configuration of IPsec Security Associations
+.\" with the interface extension
+between the local and remote endpoints.
+Negotiation of interface SAs is supported by
+.Xr iked 8 ,
+and
+.Xr isakmpd 8
+with
+.Xr ipsecctl 8 .
+.Pp
+.Nm
+interfaces can be created at runtime using the
+.Ic ifconfig sec Ns Ar N Ic create
+command or by setting up a
+.Xr hostname.if 5
+configuration file for
+.Xr netstart 8 .
+The interface itself can be configured with
+.Xr ifconfig 8 ;
+see its manual page for more information.
+.Sh SEE ALSO
+.Xr ipsec 4 ,
+.Xr netintro 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,
+.Xr ifconfig 8 ,
+.Xr iked 8 ,
+.Xr ipsecctl 8 ,
+.Xr isakmpd 8 ,
+.Xr netstart 8
+.Sh HISTORY
+The
+.Nm
+driver first appeared in
+.Ox 7.4 .
+.Sh AUTHORS
+.An David Gwynne Aq Mt dlg@openbsd.org .