Differences

This shows you the differences between two versions of the page.

--- docs:ipsec:policy [2013/09/27 12:23] – created root
+++ docs:ipsec:policy [2013/09/27 12:57] (current) – root
@@ Line 1: / Line 1: @@
 ====== IPSec policy ======
-===== Policy level =====
+===== Policy Format =====
+Policy format is **__direction__ [__priority__ __specification__] __policy__**
+  * ''discard'' means that packets will be dropped if they match the policy.
+  * ''entrust'' means to consult the SPD defined by setkey(8).
+  * ''bypass'' means to bypass the IPsec processing.  (the packet will be transmitted in clear).  This is for privileged sockets.
+  * ''ipsec'' means that the matching packets are subject to IPsec processing.  ipsec can be followed by one or more **request** strings, which are formatted as below:
-The level must be set to one of the following: **default**, **use**, **require**, or **unique**.
+===== Request Format =====
+Request format for IPSec is **__protocol__ / __mode__ / __src__ - __dst__ [/ __level__]**.
+  * **protocol** is either ''ah'', ''esp'', or ''ipcomp''.
+  * **mode** is either ''transport'' or ''tunnel''.
+  * **src** and **dst** specifies the IPsec endpoint. **src** always means the "sending node" and **dst** always means the "receiving node". Therefore, when direction is //in//, **dst** is this node and **src** is the other node (peer). If mode is transport, both src and dst can be omitted.
+**level** must be set to one of the following: **default**, **use**, **require**, or **unique**.
   * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.