Document how to avoid isakmpd(8) source IP address pitfalls by using

the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@

3 files changed, 30 insertions, 9 deletions

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 44b675ef0c2..77eecc19d00 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.154 2017/11/23 20:49:38 jmc Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.155 2018/04/17 12:13:29 stsp Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 23 2017 $
+.Dd $Mdocdate: April 17 2018 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -288,7 +288,16 @@ The
 .Ic local
 parameter specifies the address or FQDN of the local endpoint.
 Unless we are multi-homed or have aliases,
-this option is generally not needed.
+this parameter is generally not needed.
+This parameter does not affect the set of IP addresses
+.Xr isakmpd 8
+will listen on and send packets from.
+The
+.Em Listen-on
+directive in
+.Xr isakmpd.conf 5
+should additionally be used to ensure that the local endpoint will
+send IKE messages with an appropriate source IP address.
 .Pp
 The
 .Ic peer
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index c2727497e88..50bdcb27fb7 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.119 2017/11/23 20:49:38 jmc Exp $
+.\" $OpenBSD: isakmpd.8,v 1.120 2018/04/17 12:13:29 stsp Exp $
 .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.
@@ -30,7 +30,7 @@
 .\"
 .\" Manual page, using -mandoc macros
 .\"
-.Dd $Mdocdate: November 23 2017 $
+.Dd $Mdocdate: April 17 2018 $
 .Dt ISAKMPD 8
 .Os
 .Sh NAME
@@ -806,8 +806,17 @@ It is not possible to change the interfaces
 .Nm
 listens on without a restart.
 .Pp
-For redundant setups,
+For redundant setups with
+.Xr carp 4
+and
+.Xr sasyncd 8 ,
 .Xr sasyncd 8
 must be manually restarted every time
 .Nm
-is restarted.
+is restarted, and
+.Xr isakmpd.conf 5
+must explicitly configure
+.Nm
+to listen on the virtual IP address of each
+.Xr carp 4
+interface.
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 667ff387d65..c836efc7ca9 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.134 2017/10/27 08:29:32 mpi Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.135 2018/04/17 12:13:29 stsp Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -28,7 +28,7 @@
 .\"
 .\" Manual page, using -mandoc macros
 .\"
-.Dd $Mdocdate: October 27 2017 $
+.Dd $Mdocdate: April 17 2018 $
 .Dt ISAKMPD.CONF 5
 .Os
 .Sh NAME
@@ -221,6 +221,9 @@ This list is used as a filter for the set of addresses the interfaces
 configured provides.
 This means that we won't see if an address given here does not exist
 on this host, and thus no error is given for that case.
+On multi-homed systems, this parameter can be used to enforce the
+use of particular source IP addresses in packets sent by
+.Xr isakmpd 8 .
 .It Em Loglevel
 A list of the form
 .Ar class Ns = Ns Ar level ,