diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-06-03 16:57:41 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-06-03 16:57:41 +0000 |
commit | 934310061b7903133b0ed3d4ff1350c65c81fe7c (patch) | |
tree | 45d38d7830a121a8493f1d38ebcace76912e5d49 | |
parent | eefe654ae4f06f0978590339d937fcd397ae7e5a (diff) |
update the manpages for isakmpd(8) and ipsec.conf(5) to point to iked(8)
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 14 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.8 | 25 |
2 files changed, 30 insertions, 9 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index c291aa66faa..f3355c4c32e 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.124 2010/01/02 20:15:15 schwarze Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.125 2010/06/03 16:57:40 reyk Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 2 2010 $ +.Dd $Mdocdate: June 3 2010 $ .Dt IPSEC.CONF 5 .Os .Sh NAME @@ -159,7 +159,11 @@ include "/etc/macros.conf" In this scenario, .Nm is used to set up flows and SAs automatically using -.Xr isakmpd 8 . +.Xr isakmpd 8 +with the ISAKMP/Oakley a.k.a. IKEv1 protocol. +To configure automatic keying using the IKEv2 protocol, see +.Xr iked.conf 5 +instead. Some examples of setting up automatic keying: .Bd -literal -offset 3n # Set up a VPN: @@ -178,7 +182,7 @@ The commands are as follows: .Op Ar tmode .Xc .Ar mode -specifies the IKE mode to use: +specifies the IKEv1 mode to use: one of .Ar passive , .Ar active , @@ -264,7 +268,7 @@ Host addresses are parsed as type .Dq IPV4_ADDR ; adding the suffix /32 will change the type to .Dq IPV4_ADDR_SUBNET , -which can improve interoperability with some IKE implementations. +which can improve interoperability with some IKEv1 implementations. .Pp The optional .Ic port diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index 4aaaf4bc4b8..6244a41eb70 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.105 2010/01/03 16:43:45 schwarze Exp $ +.\" $OpenBSD: isakmpd.8,v 1.106 2010/06/03 16:57:40 reyk Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -30,12 +30,12 @@ .\" .\" Manual page, using -mandoc macros .\" -.Dd $Mdocdate: January 3 2010 $ +.Dd $Mdocdate: June 3 2010 $ .Dt ISAKMPD 8 .Os .Sh NAME .Nm isakmpd -.Nd ISAKMP/Oakley a.k.a. IKE key management daemon +.Nd ISAKMP/Oakley a.k.a. IKEv1 key management daemon .Sh SYNOPSIS .Nm isakmpd .Bk -words @@ -68,6 +68,17 @@ file format. A newer, much simpler format is now available: .Xr ipsec.conf 5 . .Pp +.Nm +implements the IKEv1 protocol which is defined in the standards +ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407). +The IKEv2 protocol, +as defined in RFC 4306, +is not supported by +.Nm ; +but by +.Xr iked 8 +instead. +.Pp The way .Nm goes about its work is by maintaining an internal configuration @@ -87,7 +98,7 @@ The ability to provide redundancy is made available through .Xr carp 4 and .Xr sasyncd 8 . -For other uses, some more knowledge of IKE as a protocol is required. +For other uses, some more knowledge of IKEv1 as a protocol is required. The RFCs mentioned below are a possible starting point. .Pp On startup @@ -816,3 +827,9 @@ For redundant setups, must be manually restarted every time .Nm is restarted. +.Pp +The IKEv2 protocol is not supported by +.Nm ; +but by +.Xr iked 8 +instead. |