Unix/Linux Go Back    


NetBSD 6.1.5 - man page for kame_ipsec (netbsd section 4)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


KAME_IPSEC(4)			   BSD Kernel Interfaces Manual 		    KAME_IPSEC(4)

NAME
     ipsec -- IP security protocol

SYNOPSIS
     #include <sys/types.h>
     #include <netinet/in.h>
     #include <netinet6/ipsec.h>

     options KAME_IPSEC
     options IPSEC_ESP
     options IPSEC_NAT_T
     options IPSEC_DEBUG

DESCRIPTION
     ipsec is the first implemtation of IPSEC in NetBSD.  It is being replaced by fast_ipsec(4).

     The following kernel options are available:

     options IPSEC
     Includes support for the IPsec protocol.  IPSEC will enable secret key management part, pol-
     icy management part, AH and IPComp.  Kernel binary will not be subject to export control in
     most of countries, even if compiled with IPSEC.  For example, it should be okay to export it
     from the United States of America.  INET6 and IPSEC are orthogonal so you can get IPv4-only
     kernel with IPsec support, IPv4/v6 dual support kernel without IPsec, and so forth.  This
     option requires INET at this moment, but it should not.

     options IPSEC_DEBUG
     Enables debugging code in IPsec stack.  This option assumes IPSEC.

     options IPSEC_ESP
     Includes support for IPsec ESP protocol.  IPSEC_ESP will enable source code that is subject
     to export control in some countries (including the United States), and compiled kernel
     binary will be subject to certain restriction.  This option assumes IPSEC.

     options IPSEC_NAT_T
     Includes support for IPsec Network Address Translator Traversal (NAT-T), as described in
     RFCs 3947 and 3948.  This feature might be patent-encumbered in some countries.  This option
     assumes IPSEC and IPSEC_ESP.

SEE ALSO
     ioctl(2), socket(2), ipsec_set_policy(3), fast_ipsec(4), icmp6(4), intro(4), ip6(4),
     ipsec(4), racoon(8), setkey(8), sysctl(8)

STANDARDS
     Daniel L. McDonald, Craig Metz, and Bao G. Phan, PF_KEY Key Management API, Version 2, RFC,
     2367.

HISTORY
     The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.

BUGS
     The IPsec support is subject to change as the IPsec protocols develop.

     There is no single standard for policy engine API, so the policy engine API described herein
     is just for KAME implementation.

     AH and tunnel mode encapsulation may not work as you might expect.  If you configure inbound
     ``require'' policy against AH tunnel or any IPsec encapsulating policy with AH (like
     ``esp/tunnel/A-B/use ah/transport/A-B/require''), tunneled packets will be rejected.  This
     is because we enforce policy check on inner packet on reception, and AH authenticates encap-
     sulating (outer) packet, not the encapsulated (inner) packet (so for the receiving kernel
     there's no sign of authenticity).	The issue will be solved when we revamp our policy engine
     to keep all the packet decapsulation history.

     Under certain condition, truncated result may be raised from the kernel against SADB_DUMP
     and SADB_SPDDUMP operation on PF_KEY socket.  This occurs if there are too many database
     entries in the kernel and socket buffer for the PF_KEY socket is insufficient.  If you
     manipulate many IPsec key/policy database entries, increase the size of socket buffer or use
     sysctl(8) interface.

BSD					 January 16, 2012				      BSD
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 07:28 AM.