Luthienstar Networks Wiki

User Tools

Site Tools

Trace: policy
docs:ipsec:policy

Table of Contents

IPSec policy

Policy Format

Policy format is direction [priority specification] policy

  • discard means that packets will be dropped if they match the policy.
  • entrust means to consult the SPD defined by setkey(8).
  • bypass means to bypass the IPsec processing. (the packet will be transmitted in clear). This is for privileged sockets.
  • ipsec means that the matching packets are subject to IPsec processing. ipsec can be followed by one or more request strings, which are formatted as below:

Request Format

Request format for IPSec is protocol / mode / src - dst [/ level].

  • protocol is either ah, esp, or ipcomp.
  • mode is either transport or tunnel.
  • src and dst specifies the IPsec endpoint. src always means the “sending node” and dst always means the “receiving node”. Therefore, when direction is in, dst is this node and src is the other node (peer). If mode is transport, both src and dst can be omitted.

level must be set to one of the following: default, use, require, or unique.

  • default means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.
  • use means that a relevant SA can be used when available, since the kernel may perform IPsec operation against packets when possible. In this case, packets can be transmitted in clear (when SA is not available), or encrypted (when SA is available).
  • require means that a relevant SA is required, since the kernel must perform IPsec operation against packets.
  • unique is the same as require, but adds the restriction that the SA for outbound traffic is used only for this policy.

You may need the identifier in order to relate the policy and the SA when you define the SA by manual keying. You can put the decimal number as the identifier after unique like unique: number. number must be between 1 and 32767 .

If the request string is kept unambiguous, level and slash prior to level can be omitted. However, it is encouraged to specify them explicitly to avoid unintended behavior. If level is omitted, it will be interpreted as default.

docs/ipsec/policy.txt · Last modified: 2013/09/27 12:57 by root
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki