Scroll to navigation

if_ipsec(4) Device Drivers Manual if_ipsec(4)


if_ipsecIPsec virtual tunneling interface


The if_ipsec network interface is a part of the FreeBSD IPsec implementation. To compile it into the kernel, place this line in the kernel configuration file:

options IPSEC

It can also be loaded as part of the ipsec kernel module if the kernel was compiled with



The if_ipsec network interface is targeted for creating route-based VPNs. It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure it with ESP.

if_ipsec interfaces are dynamically created and destroyed with the ifconfig(8) create and destroy subcommands. The administrator must configure IPsec tunnel endpoint addresses. These addresses will be used for the outer IP header of ESP packets. The administrator can also configure the protocol and addresses for the inner IP header with ifconfig(8), and modify the routing table to route the packets through the if_ipsec interface.

When the if_ipsec interface is configured, it automatically creates special security policies. These policies can be used to acquire security associations from the IKE daemon, which are needed for establishing an IPsec tunnel. It is also possible to create needed security associations manually with the setkey(8) utility.

Each if_ipsec interface has an additional numeric configuration option reqid id. This id is used to distinguish traffic and security policies between several if_ipsec interfaces. The reqid can be specified on interface creation and changed later. If not specified, it is automatically assigned. Note that changing reqid will lead to generation of new security policies, and this may require creating new security associations.


The example below shows manual configuration of an IPsec tunnel between two FreeBSD hosts. Host A has the IP address, and host B has the IP address

On host A:

ifconfig ipsec0 create reqid 100
ifconfig ipsec0 inet tunnel
ifconfig ipsec0 inet
setkey -c
add esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
add esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";

On host B:

ifconfig ipsec0 create reqid 200
ifconfig ipsec0 inet tunnel
ifconfig ipsec0 inet
setkey -c
add esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
add esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";

Note the value 100 on host A and value 200 on host B are used as reqid. The same value must be used as identifier of the policy entry in the setkey(8) command.


gif(4), gre(4), ipsec(4), ifconfig(8), setkey(8)


Andrey V. Elsukov <>

February 6, 2017 Debian