Manual Page Search Parameters
SEC(4) Device Drivers Manual SEC(4)

secroute based IPsec VPN tunnel interface pseudo-device

pseudo-device sec

The sec driver provides point-to-point tunnel interfaces for IPv4 and IPv6 protected by the ipsec(4) Encapsulating Security Payload (ESP) protocol.

Traffic is encapsulated in the ESP protocol and forwarded to the remote endpoint by routing over a sec interface rather than matching policy in the IPsec Security Policy Database (SPD). sec interfaces require the configuration of IPsec Security Associations (SAs) between the local and remote endpoints. Negotiation of interface SAs is supported by iked(8) and isakmpd(8) (the latter via ipsecctl(8)).

sec interfaces can be created at runtime using the ifconfig secN create command or by setting up a hostname.if(5) configuration file for netstart(8). The interface itself can be configured with ifconfig(8); see its manual page for more information.

sec can be used to provide secure and confidential IP connectivity between sites over the public internet. For example, a cloud provider may provide connectivity between networks they host for a customer, and that customers own “on premises” networks using IPsec tunnels. OpenBSD can be set up on the customer side given the following parameters:

Pre-Shared Key
7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2

Outside IP Addresses:

Customer Gateway
192.0.2.8
Provider Gateway
198.51.100.14

Inside IP Addresses:

Customer Gateway
169.254.229.42/30
Provider Gateway
169.254.229.41/30

A sec interface can be configured on the customer gateway:

# ifconfig sec0 create
# ifconfig sec0 inet 169.254.229.42/30 169.254.229.41
# ifconfig sec0 up

iked(8) can be used for IKEv2 negotiation of the IPsec tunnel with the following iked.conf(5) configuration:

ikev2 "s2s" active \
	from any to any \
	local 192.0.2.8 peer 198.51.100.14 \
	psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2" \
	iface sec0

Alternatively, IKEv1 negotiation of the IPsec tunnel SAs is supported by isakmpd(8) and ipsecctl(8). The equivalent ipsec.conf(5) configuration for the given parameters follows:

ike interface sec0 \
	local 192.0.2.8 peer 198.51.100.14 \
	psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2"

Once the Security Associations are established, communication between the customer and provider gateways is enabled.

Routes to networks hosted by the provider can be added using the providers “inside IP” address as the gateway address, or negotiated using a dynamic routing protocol. Multiple sec interfaces may be configured to talk to separate provider gateways, providing redundancy or multiple paths between sites.

ipsec(4), netintro(4), hostname.if(5), pf.conf(5), ifconfig(8), iked(8), ipsecctl(8), isakmpd(8), netstart(8)

The sec driver first appeared in OpenBSD 7.4.

David Gwynne <dlg@openbsd.org>.

September 20, 2024 openbsd