Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ETHERIP(4)	       FreeBSD Kernel Interfaces Manual		    ETHERIP(4)

NAME
     etherip --	EtherIP	tunnel interface

SYNOPSIS
     pseudo-device etherip

DESCRIPTION
     The etherip interface is a	pseudo-device for tunnelling Ethernet frames
     across IP[46] networks using RFC 3378 EtherIP encapsulation.

     An	etherip	interface can be created using the ifconfig etheripN create
     command or	by setting up a	hostname.if(5) configuration file for
     netstart(8).  It must be configured with the addresses used for the outer
     header.  This can be done using ifconfig(8)'s tunnel command (which uses
     the SIOCSLIFPHYADDR ioctl).

     The etherip interface must	be made	a member of a bridge(4).  The
     sysctl(2) variable	net.inet.etherip.allow must be set to 1, unless
     ipsec(4) is being used to protect the traffic.  Ethernet frames are then
     encapsulated and sent across the network to another bridge(4), which de-
     capsulates	the datagram and processes the resulting Ethernet frame	as if
     it	had originated on a normal Ethernet interface.	This effectively al-
     lows a layer 2 network to be extended from	one point to another, possibly
     through the Internet.  This mechanism may be used in conjunction with
     IPsec by specifying the appropriate IPsec flows between the two bridges.
     To	only protect the bridge	traffic	between	the two	bridges, the transport
     protocol 97 (etherip) selector may	be used	in ipsec.conf(5).  Otherwise,
     the Ethernet frames will be sent in the clear between the two bridges.

EXAMPLES
     Given two physically separate Ethernet networks, a	bridge can be used as
     follows to	make them appear as the	same local area	network.  If bridge1
     on	network1 has the external IP address 1.2.3.4 on	em0, bridge2 on	net-
     work2 has the external IP address 4.3.2.1 on em0, and both	bridges	have
     em1 on their internal network (network1 and network2, respectively), the
     following configuration can be used to bridge network1 and	network2.

     First create the bridge interface,	adding the encapsulation interface and
     internal Ethernet interface to the	bridge interface:

	   # ifconfig bridge0 add etherip0 add em1

     Create and	configure the etherip0 interface:

	   (on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1
	   (on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4

     Create Security Associations (SAs)	between	the external IP	address	of
     each bridge and matching ingress flows by using the following
     ipsec.conf(5) file	on bridge1:

	   esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \
		   authkey file	"auth1:auth2" enckey file "enc1:enc2"
	   flow	esp proto etherip from 1.2.3.4 to 4.3.2.1

     Now load these rules into the kernel by issuing the ipsecctl(8) command:

	   # ipsecctl -f ipsec.conf

     Appropriate ipsec.conf(5) for bridge2:

	   esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \
		   authkey file	"auth2:auth1" enckey file "enc2:enc1"
	   flow	esp proto etherip from 4.3.2.1 to 1.2.3.4

     And load them:

	   # ipsecctl -f ipsec.conf

     To	use dynamic (as	opposed	to static) keying, use this ipsec.conf(5) on
     bridge1:

	   ike esp proto etherip from 1.2.3.4 to 4.3.2.1

     And on bridge2:

	   ike esp proto etherip from 4.3.2.1 to 1.2.3.4

     Bring up the internal interface (if not already up) and encapsulation in-
     terface:

	   # ifconfig em1 up
	   # ifconfig etherip0 up

     Finally, bring the	bridge interface up and	allow it to start processing
     frames:

	   # ifconfig bridge0 up

     The internal interface on each bridge need	not have an IP address:	the
     bridge can	function without it.

     Note:  It is possible to put the above commands in	the hostname.if(5)
     files, using the `!' operator.

SEE ALSO
     sysctl(2),	bridge(4), inet(4), inet6(4), ipsec(4),	hostname.if(5),
     ifconfig(8), netstart(8)

STANDARDS
     R.	Housley	and S. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP
     Datagrams,	RFC 3378, September 2002.

HISTORY
     The etherip device	first appeared in OpenBSD 5.9.

AUTHORS
     The etherip driver	was written by Kazuya Goda <goda@openbsd.org>.

FreeBSD	13.0		       January 12, 2018			  FreeBSD 13.0

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO | STANDARDS | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=etherip&sektion=4&manpath=OpenBSD+6.9>

home | help