Luthienstar Networks Wiki

User Tools

Site Tools

Trace:
docs:ipsec:policy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docs:ipsec:policy [2013/09/27 12:37] rootdocs:ipsec:policy [2013/09/27 12:57] (current) root
Line 2: Line 2:
  
 ===== Policy Format ===== ===== Policy Format =====
-**protocol / mode / src - dst [/level] **+Policy format is **__direction__ [__priority__ __specification____policy__** 
 +  * ''discard'' means that packets will be dropped if they match the policy. 
 +  * ''entrust'' means to consult the SPD defined by setkey(8). 
 +  * ''bypass'' means to bypass the IPsec processing.  (the packet will be transmitted in clear).  This is for privileged sockets. 
 +  * ''ipsec'' means that the matching packets are subject to IPsec processing.  ipsec can be followed by one or more **request** strings, which are formatted as below:
  
-**protocol** is either ''ah'', ''esp'', or ''ipcomp''.+===== Request Format ===== 
 +Request format for IPSec is **__protocol__ / __mode__ / __src__ - __dst__ [/ __level__]**.
  
-**mode** is either ''transport'' or ''tunnel''.+  * **protocol** is either ''ah'', ''esp'', or ''ipcomp''
 +  * **mode** is either ''transport'' or ''tunnel''
 +  * **src** and **dst** specifies the IPsec endpoint. **src** always means the "sending node" and **dst** always means the "receiving node". Therefore, when direction is //in//, **dst** is this node and **src** is the other node (peer). If mode is transport, both src and dst can be omitted.
  
-**src** and **dst** specifies the IPsec endpoint. **src** always means the "sending node" and **dst** always means the "receiving node". Therefore, when direction is //in//, **dst** is this node and **src** is the other node (peer). If mode is transport, both src and dst can be omitted. +**level** must be set to one of the following: **default**, **use**, **require**, or **unique**. 
- +
-===== Policy level ===== +
- +
-The level must be set to one of the following: **default**, **use**, **require**, or **unique**. +
    
   * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.     * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.  
docs/ipsec/policy.1380278229.txt.gz · Last modified: 2013/09/27 12:37 by root
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki