|ETHERIP(4)||Device Drivers Manual||ETHERIP(4)|
etheripinterface is a pseudo-device for tunnelling Ethernet frames across IP networks using RFC 3378 EtherIP encapsulation.
etherip interface can be created using
create command or by setting up a
hostname.if(5) configuration file
for netstart(8). It must be configured
with the addresses used for the outer header. This can be done using
tunnel command (which uses the
etherip interface must be made a
member of a bridge(4). The
net.inet.etherip.allow must be set to 1, unless
ipsec(4) is being used to protect the
traffic. Ethernet frames are then encapsulated and sent across the network
to another bridge(4), which decapsulates
the datagram and processes the resulting Ethernet frame as if it had
originated on a normal Ethernet interface. This effectively allows a layer 2
network to be extended from one point to another, possibly through the
Internet. This mechanism may be used in conjunction with IPsec by specifying
the appropriate IPsec flows between the two bridges. To only protect the
bridge traffic between the two bridges, the transport protocol 97 (etherip)
selector may be used in
ipsec.conf(5). Otherwise, the
Ethernet frames will be sent in the clear between the two bridges.
First create the bridge interface, adding the encapsulation interface and internal Ethernet interface to the bridge interface:
# ifconfig bridge0 add etherip0 add em1
Create and configure the etherip0 interface:
(on bridge 1) # ifconfig etherip0 tunnel 18.104.22.168 22.214.171.124 (on bridge 2) # ifconfig etherip0 tunnel 126.96.36.199 188.8.131.52
Create Security Associations (SAs) between the external IP address of each bridge and matching ingress flows by using the following ipsec.conf(5) file on bridge1:
esp from 184.108.40.206 to 220.127.116.11 spi 0x4242:0x4243 \ authkey file "auth1:auth2" enckey file "enc1:enc2" flow esp proto etherip from 18.104.22.168 to 22.214.171.124
Now load these rules into the kernel by issuing the ipsecctl(8) command:
# ipsecctl -f ipsec.conf
Appropriate ipsec.conf(5) for bridge2:
esp from 126.96.36.199 to 188.8.131.52 spi 0x4243:0x4242 \ authkey file "auth2:auth1" enckey file "enc2:enc1" flow esp proto etherip from 184.108.40.206 to 220.127.116.11
And load them:
# ipsecctl -f ipsec.conf
To use dynamic (as opposed to static) keying, use this ipsec.conf(5) on bridge1:
ike esp proto etherip from 18.104.22.168 to 22.214.171.124
And on bridge2:
ike esp proto etherip from 126.96.36.199 to 188.8.131.52
Bring up the internal interface (if not already up) and encapsulation interface:
# ifconfig em1 up # ifconfig etherip0 up
Finally, bring the bridge interface up and allow it to start processing frames:
# ifconfig bridge0 up
The internal interface on each bridge need not have an IP address: the bridge can function without it.
Note: It is possible to put the above commands in the hostname.if(5) files, using the ‘!’ operator.sysctl(2), bridge(4), inet(4), inet6(4), ipsec(4), hostname.if(5), ifconfig(8), netstart(8) R. Housley and S. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP Datagrams, RFC 3378, September 2002.
etheripdevice first appeared in OpenBSD 5.9.
etheripdriver was written by Kazuya Goda <firstname.lastname@example.org>.
|January 12, 2018||OpenBSD-current|