tweak examples/iked.conf bits a little further following comments by

aisha@ and Crystal Kolipe, ok aisha@ tobhe@

1 files changed, 13 insertions, 4 deletions

diff --git a/etc/examples/iked.conf b/etc/examples/iked.conf
index 280c70393e0..d89cd190283 100644
--- a/etc/examples/iked.conf
+++ b/etc/examples/iked.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: iked.conf,v 1.2 2023/03/01 22:45:25 sthen Exp $
+# $OpenBSD: iked.conf,v 1.3 2023/03/06 13:57:45 sthen Exp $
 #
 # See iked.conf(5) for syntax and examples.
 
@@ -8,7 +8,10 @@
 
 # Configuration for clients connecting with EAP authentication
 # and sending all traffic over the IKEv2 tunnel.
-# Remember to set up a PKI, see ikectl(8) for more information.
+#
+# EAP requires a server certificate; see ikectl(8) for more details
+# on generating this with an iked-specific local CA.
+#
 #ikev2 "eapclient" passive esp \
 #	from any to dynamic \
 #	local any peer any \
@@ -17,10 +20,16 @@
 #	config name-server 10.1.0.2 \
 #	tag "$name-$id"
 
-# Configuration for a client authenticating with a pre-shared key.
+# Configuration for a client authenticating with a pre-shared key,
+# mostly useful for LAN-to-LAN tunnels between static IP endpoints.
+#
+# For iked->iked tunnels you can use a simple config using public
+# keys instead - omit psk and copy /etc/iked/local.pub on each side to
+# /etc/iked/pubkeys/ipv4/<address> on the other.
+#
 #ikev2 esp \
 #	from 10.3.0.0/24 to 10.1.0.0/24 \
 #	from 10.5.0.0/24 to 10.1.0.0/24 \
 #	from 10.5.0.0/24 to 172.16.1.0/24 \
 #	local 192.168.1.1 peer 192.168.2.1 \
-#	psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"
+#	psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA-replace-me"