![[BACK]](/icons/back.gif){kind=icon}
Return to etherip.4 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / share / man / man4|
Return to etherip.4 CVS log | Up to [local] / src / share / man / man4 |
| File: [local] / src / share / man / man4 / etherip.4 (download)
Revision 1.6, Fri Jan 12 04:36:44 2018 UTC (6 years, 4 months ago) by deraadt
Adjust references for sysctl(3) to sysctl(2) |
.\" $OpenBSD: etherip.4,v 1.6 2018/01/12 04:36:44 deraadt Exp $
.\"
.\" Copyright (c) 2015 YASUOKA Masahiko <yasuoka@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" The following requests are required for all man pages.
.\"
.Dd $Mdocdate: January 12 2018 $
.Dt ETHERIP 4
.Os
.Sh NAME
.Nm etherip
.Nd EtherIP tunnel interface
.Sh SYNOPSIS
.Cd "pseudo-device etherip"
.Sh DESCRIPTION
The
.Nm
interface is a pseudo-device for tunnelling Ethernet frames across IP[46]
networks using RFC 3378 EtherIP encapsulation.
.Pp
An
.Nm
interface can be created using the
.Ic ifconfig etherip Ns Ar N Ic create
command or by setting up a
.Xr hostname.if 5
configuration file for
.Xr netstart 8 .
It must be configured with the addresses used for the outer header.
This can be done using
.Xr ifconfig 8 Ns 's
.Ic tunnel
command (which uses the
.Dv SIOCSLIFPHYADDR
ioctl).
.Pp
The
.Nm
interface must be made a member of a
.Xr bridge 4 .
The
.Xr sysctl 2
variable
.Dv net.inet.etherip.allow
must be set to 1, unless
.Xr ipsec 4
is being used to protect the traffic.
Ethernet frames are then encapsulated and sent across the network
to another
.Xr bridge 4 ,
which decapsulates the datagram and processes the resulting Ethernet
frame as if it had originated on a normal Ethernet interface.
This effectively allows a layer 2 network to be extended from one point to
another, possibly through the Internet.
This mechanism may be used in
conjunction with IPsec by specifying the appropriate IPsec flows
between the two bridges.
To only protect the bridge traffic between
the two bridges, the transport protocol 97 (etherip) selector may be
used in
.Xr ipsec.conf 5 .
Otherwise, the Ethernet frames will be sent in the clear between the
two bridges.
.Sh EXAMPLES
Given two physically separate Ethernet networks, a bridge can
be used as follows to make them appear as the same local area network.
If bridge1 on network1 has the external IP address 1.2.3.4 on em0,
bridge2 on network2 has the external IP address 4.3.2.1 on em0, and
both bridges have em1 on their internal network (network1 and network2,
respectively), the following configuration can be used to bridge
network1 and network2.
.Pp
First create the bridge interface,
adding the encapsulation interface and internal Ethernet interface
to the bridge interface:
.Bd -literal -offset indent
# ifconfig bridge0 add etherip0 add em1
.Ed
.Pp
Create and configure the etherip0 interface:
.Bd -literal -offset indent
(on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1
(on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4
.Ed
.Pp
Create Security Associations (SAs) between the external IP address of each
bridge and matching ingress flows by using the following
.Xr ipsec.conf 5
file on bridge1:
.Bd -literal -offset indent
esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e
authkey file "auth1:auth2" enckey file "enc1:enc2"
flow esp proto etherip from 1.2.3.4 to 4.3.2.1
.Ed
.Pp
Now load these rules into the kernel by issuing the
.Xr ipsecctl 8
command:
.Bd -literal -offset indent
# ipsecctl -f ipsec.conf
.Ed
.Pp
Appropriate
.Xr ipsec.conf 5
for bridge2:
.Bd -literal -offset indent
esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e
authkey file "auth2:auth1" enckey file "enc2:enc1"
flow esp proto etherip from 4.3.2.1 to 1.2.3.4
.Ed
.Pp
And load them:
.Bd -literal -offset indent
# ipsecctl -f ipsec.conf
.Ed
.Pp
To use dynamic (as opposed to static) keying,
use this
.Xr ipsec.conf 5
on bridge1:
.Bd -literal -offset indent
ike esp proto etherip from 1.2.3.4 to 4.3.2.1
.Ed
.Pp
And on bridge2:
.Bd -literal -offset indent
ike esp proto etherip from 4.3.2.1 to 1.2.3.4
.Ed
.Pp
Bring up the internal interface (if not already up) and encapsulation
interface:
.Bd -literal -offset indent
# ifconfig em1 up
# ifconfig etherip0 up
.Ed
.Pp
Finally, bring the bridge interface up and allow it to start processing
frames:
.Pp
.Dl # ifconfig bridge0 up
.Pp
The internal interface on each bridge need not have an IP
address: the bridge can function without it.
.Pp
Note: It is possible to put the above commands in the
.Xr hostname.if 5
files, using the
.Sq !\&
operator.
.Sh SEE ALSO
.Xr sysctl 2 ,
.Xr bridge 4 ,
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr ipsec 4 ,
.Xr hostname.if 5 ,
.Xr ifconfig 8 ,
.Xr netstart 8
.Sh STANDARDS
.Rs
.%A R. Housley
.%A S. Hollenbeck
.%D September 2002
.%R RFC 3378
.%T EtherIP: Tunneling Ethernet Frames in IP Datagrams
.Re
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 5.9 .
.Sh AUTHORS
The
.Nm
driver was written by
.An Kazuya Goda Aq Mt goda@openbsd.org .