diff options
| author | Jason McIntyre <jmc@cvs.openbsd.org> | 2008-02-12 06:12:26 +0000 |
|---|---|---|
| committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2008-02-12 06:12:26 +0000 |
| commit | 5521edf57bcc1cb3cbc103e85954f06a0eb3f9b4 (patch) | |
| tree | 274c39a9c95f1d5b827979652c0c418a425d3dc1 /sbin/ipsecctl/ipsec.conf.5 | |
| parent | 01f712fe6edc60427d05fe204fef050ffc1f5368 (diff) | |
document modifier types; requested by Aurelien
text from ipsecadm(8), hshoexer, and myself
Diffstat (limited to 'sbin/ipsecctl/ipsec.conf.5')
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 42 |
1 files changed, 28 insertions, 14 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 57b45298ed0..5f421970be3 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.115 2007/09/17 15:53:00 sthen Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.116 2008/02/12 06:12:25 jmc Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 17 2007 $ +.Dd $Mdocdate: February 12 2008 $ .Dt IPSEC.CONF 5 .Os .Sh NAME @@ -690,21 +690,35 @@ the .Ic peer specification can be left out. .It Ic type Ar modifier -This optional parameter sets up special flows using the modifiers -.Ar require , -.Ar use , -.Ar acquire , -.Ar dontacq , -.Ar bypass -or -.Ar deny . -A bypass flow is used to specify a flow for which security processing -will be bypassed: matching packets will not be processed by any other -flows and handled in normal operation. -A deny flow is used to drop any matching packets. +This optional parameter sets up special flows using modifiers. By default, .Xr ipsecctl 8 will automatically set up normal flows with the corresponding type. +.Ar modifier +may be one of the following: +.Pp +.Bl -tag -width "acquireXX" -offset indent -compact +.It acquire +Use IPsec and establish SAs dynamically. +Unencrypted traffic is permitted until it is protected by IPsec. +.It bypass +Matching packets are not processed by IPsec. +.It deny +Matching packets are dropped. +.It dontacq +Use IPsec. +If no SAs are available, +does not trigger +.Xr isakmpd 8 . +.It require +Use IPsec and establish SAs dynamically. +Unencrypted traffic is not permitted until it is protected by IPsec. +.It use +Use IPsec. +Unencrypted traffic is permitted. +Does not trigger +.Xr isakmpd 8 . +.El .El .Sh MANUAL SECURITY ASSOCIATIONS (SAs) In this scenario, |