Provided by: freebsd-manpages_6.2-1_all bug


     Fast IPsec - hardware-accelerated IP Security Protocols


     options FAST_IPSEC
     device crypto



     IPsec is a set of protocols, ESP (for Encapsulating Security Payload) AH
     (for Authentication Header), and IPComp (for IP Payload Compression
     Protocol) that provide security services for IP datagrams.  Fast IPsec is
     an experimental implementation of these protocols that uses the crypto(4)
     subsystem to carry out cryptographic operations.  This means, in
     particular, that cryptographic hardware devices are employed whenever
     possible to optimize the performance of these protocols.

     In general, the Fast IPsec implementation is intended to be compatible
     with the KAME IPsec implementation.  This documentation concentrates on
     differences from that software.  The user should refer to ipsec(4) for
     basic information on setting up and using these protocols.

     System configuration requires the crypto(4) subsystem.  When the Fast
     IPsec protocols are configured for use, all protocols are included in the
     system.  To selectively enable/disable protocols, use sysctl(8).

     The packets can be passed to a virtual interface, “enc0”, to perform
     packet filtering before outbound encryption and after decapsulation


     To be added.


     crypto(4), enc(4), ipsec(4), setkey(8), sysctl(8)


     The protocols draw heavily on the OpenBSD implementation of the IPsec
     protocols.  The policy management code is derived from the KAME
     implementation found in their IPsec protocols.  The Fast IPsec protocols
     first appeared in FreeBSD 5.0.


     There is presently no support for IPv6.

     The IPcomp protocol support does not work.

     Certain legacy authentication algorithms are not supported because of
     issues with the crypto(4) subsystem.

     This documentation is incomplete.