K 10
svn:author
V 2
ae
K 8
svn:date
V 27
2016-11-24T21:01:25.235058Z
K 7
svn:log
V 1674
Add IPsec virtual tunneling interface.

It can be created with ifconfig ipsec create. Then it can be configured
like gif(4) interface: tunnel addresses and interface addresses.
But it has one additional parameter - IPsec reqid. The reqid has
the same meaning that request id in the security policy. If no reqid
was specified, its value will be automatically assigned.

How it works. When interface is configured, it creates several security
policies that will look like:

  0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
	ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
  0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
	ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid

And similat policies for IPv6. These policies match all IPv4/IPv6 traffic.
But they only works within the used ipsecN interface. Interface supports
BPF consumers and `tcpdump -ni ipsecN` will show unencrypted traffic
within this virtual tunnel.
It is possible to manually configure SA for IPsec tunnel using ipsecN
interface. setkey(8) has '-u' option to specify reqid for SA:

  add RemoteIP LocalIP esp SPI1 -m tunnel -u ReqID -E rijndael-cbc Key;
  add LocalIP RemoteIP esp SPI2 -m tunnel -u ReqID -E rijndael-cbc Key;

Also IKEd can be configured to create needed SAs.

How it works internally. When interface is configured, it registers its
policies in the separate SPDB, for this reason such policies do not
affect all traffic of the system. When outbound packet routed via this
interface, interface uses its policies and invokes ipsec[46]_process_packet.
For inbound packets ipsec[46]_input_cb() passes used SA and decrypted mbuf
to the if_input routine, then it checks if used SA corresponds to configured
policies.

END