| IPSEC(4) | Device Drivers Manual | IPSEC(4) | 
ipsec —
options IPSEC
options IPSEC_DEBUG
ipsec is a security protocol in the
    Internet Protocol (IP) layer. ipsec is defined for
    both IPv4 and IPv6 (inet(4) and
    inet6(4)).
    ipsec consists of three sub-protocols:
ipsec has two operation modes:
ipsec is controlled by two engines in the kernel: one
  for key management and one for policy.
The key management engine can be accessed from userland by using
    PF_KEY sockets. The PF_KEY
    socket API is defined in RFC2367.
The policy engine can be controlled through the
    PF_KEY API,
    setsockopt(2) operations,
    and the sysctl(3) interface.
    The kernel implements an extended version of the
    PF_KEY interface and allows you to define IPsec
    policy like per-packet filters.
    setsockopt(2) is used to
    define per-socket behavior, and
    sysctl(3) is used to define
    host-wide default behavior.
The kernel does not implement dynamic encryption key exchange protocols like IKE (Internet Key Exchange). That should be done in userland (usually as a daemon), using the APIs described above.
PF_KEY interface, via
  setkey(8). In both cases, IPsec
  policy must be specified with syntax described in
  ipsec_set_policy(3).
With setsockopt(2), you can define IPsec policy on a per-socket basis. You can enforce particular IPsec policy on packets that go through a particular socket.
With setkey(8) you can define IPsec policy for packets using a form of packet filtering rules. See setkey(8) for details.
In the latter case,
    “default” policy is allowed for use
    with setkey(8). By configuring
    policy to default, you can refer to system-wide
    sysctl(8) variables for
    default settings. The following variables are available.
    1 means “use”,
    and 2 means
    “require” in the syntax.
| Name | Type | Changeable | 
| net.inet.ipsec.esp_trans_deflev | integer | yes | 
| net.inet.ipsec.esp_net_deflev | integer | yes | 
| net.inet.ipsec.ah_trans_deflev | integer | yes | 
| net.inet.ipsec.ah_net_deflev | integer | yes | 
| net.inet6.ipsec6.esp_trans_deflev | integer | yes | 
| net.inet6.ipsec6.esp_net_deflev | integer | yes | 
| net.inet6.ipsec6.ah_trans_deflev | integer | yes | 
| net.inet6.ipsec6.ah_net_deflev | integer | yes | 
If the kernel finds no matching policy, the system-wide default
    value is applied. System-wide defaults are specified by the following
    sysctl(8) variables.
    0 means
    “discard” which asks the kernel to
    drop the packet. 1 means
    “none”.
| Name | Type | Changeable | 
| net.inet.ipsec.def_policy | integer | yes | 
| net.inet6.ipsec6.def_policy | integer | yes | 
| Name | Type | Changeable | 
| net.inet.ipsec.ah_cleartos | integer | yes | 
| net.inet.ipsec.ah_offsetmask | integer | yes | 
| net.inet.ipsec.crypto_support | integer | yes | 
| net.inet.ipsec.dfbit | integer | yes | 
| net.inet.ipsec.ecn | integer | yes | 
| net.inet.ipsec.debug | integer | yes | 
| net.inet6.ipsec6.ecn | integer | yes | 
| net.inet6.ipsec6.debug | integer | yes | 
The variables are interpreted as follows:
ipsec.ah_cleartosipsec.ah_offsetmaskipsec.crypto_supportipsec.dfbitipsec.ecndraft-ietf-ipsec-ecn-02.txt.
      gif(4) talks more about the
      behavior.ipsec.debugVariables under the net.inet6.ipsec6 tree
    have similar meanings to their net.inet.ipsec
    counterparts.
System configuration requires the opencrypto(9) subsystem. When the Fast IPsec protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use sysctl(8).
ipsec protocol works like a plug-in to
  inet(4) and
  inet6(4) protocols. Therefore,
  ipsec supports most of the protocols defined upon
  those IP-layer protocols. Some of the protocols, like
  icmp(4) or
  icmp6(4), may behave differently
  with ipsec. This is because
  ipsec can prevent
  icmp(4) or
  icmp6(4) routines from looking
  into IP payload.
Support for IPv6 and IPcomp protocols has been added in NetBSD 4.0.
Support for Network Address Translator Traversal as described in RFCs 3947 and 3948 has been added in NetBSD 5.0.
Since NetBSD 6.0, the IPsec implementation formerly known as Fast IPsec is used.
There is no single standard for policy engine API, so the policy engine API described herein is just for the version introduced by KAME.
AH and tunnel mode encapsulation may not work as you might expect.
    If you configure inbound “require” policy against AH tunnel or
    any IPsec encapsulating policy with AH (like
    “esp/tunnel/A-B/use
    ah/transport/A-B/require”), tunneled packets will be rejected.
    This is because we enforce policy check on inner packet on reception, and AH
    authenticates encapsulating (outer) packet, not the encapsulated (inner)
    packet (so for the receiving kernel there's no sign of authenticity). The
    issue will be solved when we revamp our policy engine to keep all the packet
    decapsulation history.
Under certain condition, truncated result may be raised from the
    kernel against SADB_DUMP and
    SADB_SPDDUMP operation on
    PF_KEY socket. This occurs if there are too many
    database entries in the kernel and socket buffer for the
    PF_KEY socket is insufficient. If you manipulate
    many IPsec key/policy database entries, increase the size of socket buffer
    or use sysctl(8)
  interface.
Certain legacy authentication algorithms are not supported because of issues with the opencrypto(9) subsystem.
| June 13, 2018 | NetBSD 9.4 |