Differences

This shows you the differences between two versions of the page.

--- docs:ipsec:policy [2013/09/27 12:39] – root
+++ docs:ipsec:policy [2013/09/27 12:57] (current) – root
@@ Line 2: / Line 2: @@
 ===== Policy Format =====
-Policy format for IPSec is **protocol / mode / src - dst [/level]**.
+Policy format is **__direction__ [__priority__ __specification__] __policy__**
+  * ''discard'' means that packets will be dropped if they match the policy.
+  * ''entrust'' means to consult the SPD defined by setkey(8).
+  * ''bypass'' means to bypass the IPsec processing.  (the packet will be transmitted in clear).  This is for privileged sockets.
+  * ''ipsec'' means that the matching packets are subject to IPsec processing.  ipsec can be followed by one or more **request** strings, which are formatted as below:
+===== Request Format =====
+Request format for IPSec is **__protocol__ / __mode__ / __src__ - __dst__ [/ __level__]**.
   * **protocol** is either ''ah'', ''esp'', or ''ipcomp''.
@@ Line 10: / Line 17: @@
 **level** must be set to one of the following: **default**, **use**, **require**, or **unique**.
-  *  * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.
+  * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.
   * **use** means that a relevant SA can be used when available, since the kernel may perform IPsec operation against packets when possible. In this case, packets can be transmitted in clear (when SA is not available), or encrypted (when SA is available).
   * **require** means that a relevant SA is required, since the kernel must perform IPsec operation against packets.