Provided by: freebsd-manpages_12.2-1_all bug


     if_ipsec — IPsec virtual tunneling interface


     The if_ipsec network interface is a part of the FreeBSD IPsec implementation.  To compile it
     into the kernel, place this line in the kernel configuration file:

           options IPSEC

     It can also be loaded as part of the ipsec kernel module if the kernel was compiled with

           options IPSEC_SUPPORT


     The if_ipsec network interface is targeted for creating route-based VPNs.  It can tunnel
     IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP.

     if_ipsec interfaces are dynamically created and destroyed with the ifconfig(8) create and
     destroy subcommands.  The administrator must configure IPsec tunnel endpoint addresses.
     These addresses will be used for the outer IP header of ESP packets.  The administrator can
     also configure the protocol and addresses for the inner IP header with ifconfig(8), and
     modify the routing table to route the packets through the if_ipsec interface.

     When the if_ipsec interface is configured, it automatically creates special security
     policies.  These policies can be used to acquire security associations from the IKE daemon,
     which are needed for establishing an IPsec tunnel.  It is also possible to create needed
     security associations manually with the setkey(8) utility.

     Each if_ipsec interface has an additional numeric configuration option reqid id.  This id is
     used to distinguish traffic and security policies between several if_ipsec interfaces.  The
     reqid can be specified on interface creation and changed later.  If not specified, it is
     automatically assigned.  Note that changing reqid will lead to generation of new security
     policies, and this may require creating new security associations.


     The example below shows manual configuration of an IPsec tunnel between two FreeBSD hosts.
     Host A has the IP address, and host B has the IP address

     On host A:

           ifconfig ipsec0 create reqid 100
           ifconfig ipsec0 inet tunnel
           ifconfig ipsec0 inet
           setkey -c
           add esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
           add esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";

     On host B:

           ifconfig ipsec0 create reqid 200
           ifconfig ipsec0 inet tunnel
           ifconfig ipsec0 inet
           setkey -c
           add esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
           add esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";

     Note the value 100 on host A and value 200 on host B are used as reqid.  The same value must
     be used as identifier of the policy entry in the setkey(8) command.


     gif(4), gre(4), ipsec(4), ifconfig(8), setkey(8)


     Andrey V. Elsukov <>