From 563224da67d8e39bb96b0b59c0805a7ddf537d6b Mon Sep 17 00:00:00 2001 From: dlg Date: Mon, 7 Aug 2023 03:17:42 +0000 Subject: [PATCH] sec(4) to support route-based ipsec vpns. committing it now so jmc@ gets commits for any fixes he makes. --- share/man/man4/Makefile | 4 +-- share/man/man4/sec.4 | 75 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 share/man/man4/sec.4 diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 736dd76330e..755ac54c06b 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.843 2023/07/08 02:43:02 jcs Exp $ +# $OpenBSD: Makefile,v 1.844 2023/08/07 03:17:42 dlg Exp $ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \ @@ -84,7 +84,7 @@ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ rkrng.4 rktcphy.4 rktemp.4 rkusbphy.4 rkvop.4 \ rl.4 rlphy.4 route.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \ safte.4 sbus.4 schsio.4 scmi.4 scsi.4 sd.4 \ - sdmmc.4 sdhc.4 se.4 ses.4 sf.4 sili.4 \ + sdmmc.4 sdhc.4 se.4 sec.4 ses.4 sf.4 sili.4 \ simpleamp.4 simpleaudio.4 simplefb.4 simplepanel.4 siop.4 sis.4 sk.4 \ sm.4 smsc.4 sncodec.4 \ softraid.4 spdmem.4 sdtemp.4 speaker.4 sppp.4 sqphy.4 \ diff --git a/share/man/man4/sec.4 b/share/man/man4/sec.4 new file mode 100644 index 00000000000..676e32f5dc0 --- /dev/null +++ b/share/man/man4/sec.4 @@ -0,0 +1,75 @@ +.\" $OpenBSD: sec.4,v 1.1 2023/08/07 03:17:42 dlg Exp $ +.\" +.\" Copyright (c) 2023 David Gwynne +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: August 7 2023 $ +.Dt SEC 4 +.Os +.Sh NAME +.Nm sec +.Nd Route-based IPsec VPN tunnel interface pseudo-device +.Sh SYNOPSIS +.Cd "pseudo-device sec" +.Sh DESCRIPTION +The +.Nm +driver provides point-to-point tunnel interfaces for IPv4 and IPv6 +protected by the Encapsulating Security Payload (ESP) +.Xr ipsec 4 +protocol. +.Pp +Traffic is encapsulated in the ESP protocol and forwarded to the +remote endpoint by routing over an +.Nm sec +interface rather than matching policy in the IPsec Security Policy +Database (SPD). +.Nm +interfaces require the configuration of IPsec Security Associations +.\" with the interface extension +between the local and remote endpoints. +Negotiation of interface SAs is supported by +.Xr iked 8 , +and +.Xr isakmpd 8 +with +.Xr ipsecctl 8 . +.Pp +.Nm +interfaces can be created at runtime using the +.Ic ifconfig sec Ns Ar N Ic create +command or by setting up a +.Xr hostname.if 5 +configuration file for +.Xr netstart 8 . +The interface itself can be configured with +.Xr ifconfig 8 ; +see its manual page for more information. +.Sh SEE ALSO +.Xr ipsec 4 , +.Xr netintro 4 , +.Xr hostname.if 5 , +.Xr pf.conf 5 , +.Xr ifconfig 8 , +.Xr iked 8 , +.Xr ipsecctl 8 , +.Xr isakmpd 8 , +.Xr netstart 8 +.Sh HISTORY +The +.Nm +driver first appeared in +.Ox 7.4 . +.Sh AUTHORS +.An David Gwynne Aq Mt dlg@openbsd.org . -- 2.20.1