| IPSECIF(4) | Device Drivers Manual | IPSECIF(4) | 
ipsecif —
pseudo-device ipsecif
ipsecif interface is targeted for route-based VPNs.
  It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it
  with ESP.
ipsecif interfaces are dynamically created
    and destroyed with the
    ifconfig(8)
    create and destroy
    subcommands. The administrator must configure
    ipsecif tunnel endpoint addresses. These addresses
    will be used for the outer IP header of ESP packets. The administrator also
    configures the protocol and addresses for the inner IP header with the
    ifconfig(8)
    inet or inet6 subcommands,
    and modify the routing table to route the packets through the
    ipsecif interface.
The packet processing is similar to
    gif(4) over
    ipsec(4) transport mode,
    however the security policy management is different.
    gif(4) over
    ipsec(4) transport mode expects
    userland programs to manage their security policies. In contrast,
    ipsecif manages its security policies by itself:
    when the administrator sets up an ipsecif tunnel
    source and destination address pair, the related security policies are
    created automatically in the kernel. They are automatically deleted when the
    tunnel is destroyed.
It also means that ipsecif ensures that
    both the in and out security policy pairs exist, that is,
    ipsecif avoids the trouble caused when only one of
    the in and out security policy pair exists.
There are four security policies generated by
    ipsecif: one in and out pair for IPv4 and IPv6 each.
    These security policies are equivalent to the following
    ipsec.conf(5)
    configuration where src and dst are IP addresses specified to the
  tunnel:
spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique; spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique; spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
The ipsecif configuration will fail if
    such security policies already exist, and vice versa.
The related security associates can be established by an IKE
    daemon such as racoon(8). They
    can also be manipulated manually by
    setkey(8) with the
    -u option which sets a security policy's unique
  id.
Some ifconfig(8)
    parameters change the behaviour of ipsecif. link0
    can enable NAT-Traversal, link1 can enable ECN friendly mode like
    gif(4), and link2 can enable
    forwarding inner IPv6 packets. Only link2 is set by default. If you use only
    IPv4 packets as inner packets, you would want to do
ifconfig ipsec0 -link2
to reduce security associates for IPv6 packets.
Out IP addr = 172.16.100.1            Out IP addr = 172.16.200.1
wm0 = 192.168.0.1/24                        wm0 = 192.168.0.2/24
wm1 = 10.100.0.1/24                          wm1 = 10.200.0.1/24
+------------+                                    +------------+
|  NetBSD_A  |                                    |  NetBSD_B  |
|------------|                                    |------------|
|  [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0]  |
|          [wm0]------------- ... --------------[wm0]          |
|            |                                    |            |
+---[wm1]----+                                    +----[wm1]---+
      |                                                  |
      |                                                  |
+------------+                                    +------------+
|   Host_X   |                                    |   Host_Y   |
+------------+                                    +------------+
Host_X and Host_Y will be able to communicate via an IPv4 IPsec tunnel.
On NetBSD_A:
# ifconfig wm0 inet 192.168.0.1/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2 # ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.100.0.1/24 # route add 10.200.0.1 172.16.100.1
On NetBSD_B:
# ifconfig wm0 inet 192.168.0.2/24 # ifconfig ipsec0 create # ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1 # ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1 start IKE daemon or set security associates manually. # ifconfig wm1 inet 10.200.0.1/24 # route add 10.100.0.1 172.16.200.1
ipsecif device first appeared in
  NetBSD 8.0.
ipsecif interface supports the ESP
  protocol only. ipsecif supports default port number
  (4500) only for NAT-Traversal.
| January 25, 2018 | NetBSD 10.1 |