The kernel implements experimental policy management code. You can manage the IPsec policy in two ways. One is to configure per-socket policy using
setsockopt(2). The other is to configure kernel packet filter-based policy using
PF_KEY interface, via
setkey(8). In both cases, IPsec policy must be specified with syntax described in
ipsec_set_policy(3).
With
setsockopt(2), you can define IPsec policy in per-socket basis. You can enforce particular IPsec policy onto packets that go through particular socket.
With
setkey(8) you can define IPsec policy against packets, using sort of packet filtering rule. Refer to
setkey(8) on how to use it.
In the latter case, “
default” policy is allowed for use with
setkey(8). By configuring policy to
default, you can refer system-wide
sysctl(8) variable for default settings. The following variables are available.
1 means “
use”, and
2 means “
require” in the syntax.
net.inet.ipsec.esp_trans_deflev
integer
yes
net.inet.ipsec.esp_net_deflev
integer
yes
net.inet.ipsec.ah_trans_deflev
integer
yes
net.inet.ipsec.ah_net_deflev
integer
yes
net.inet6.ipsec6.esp_trans_deflev
integer
yes
net.inet6.ipsec6.esp_net_deflev
integer
yes
net.inet6.ipsec6.ah_trans_deflev
integer
yes
net.inet6.ipsec6.ah_net_deflev
integer
yes
If kernel finds no matching policy system wide default value is applied. System wide default is specified by the following
sysctl(8) variables.
0 means “
discard” which asks the kernel to drop the packet.
1 means “
none”.
net.inet.ipsec.def_policy
integer
yes
net.inet6.ipsec6.def_policy
integer
yes