diff options
author | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-09-29 10:51:28 +0000 |
---|---|---|
committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-09-29 10:51:28 +0000 |
commit | 12a1af1da6d5e0f93539d7d6c8838476493c0d29 (patch) | |
tree | c109d63b576df4bfdee653b5276817023061ac3c /sbin/ipsecctl | |
parent | 2899cbc5a564056b607117cfa1b715f75335bf91 (diff) |
make it clearer what needs to be run, and how; push manual keying down
the list; move the rc stuff from ipsecctl to ipsec.conf;
ok hshoexer
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 40 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.8 | 21 |
2 files changed, 31 insertions, 30 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index de7ceb1af4d..d3f31793d19 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.99 2006/09/26 22:03:44 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.100 2006/09/29 10:51:27 jmc Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -50,9 +50,6 @@ are established, which detail how the desired protection will be achieved. IPsec uses flows to determine whether to apply security services to an IP packet or not. -Flows and SAs can be loaded, viewed, and modified using the -.Xr ipsecctl 8 -utility. .Pp Generally speaking an automated keying daemon, @@ -75,19 +72,42 @@ section of .Xr isakmpd 8 for information on the types of authentication available, and the procedures for setting them up. -After that it's simply a case of running the daemon. -Note that -.Xr isakmpd 8 -will probably need to be run with at least the +.Pp +The keying daemon, +.Xr isakmpd 8 , +can be enabled to run at boot time via the +.Va isakmpd_flags +variable in +.Xr rc.conf.local 8 . +Note that it will probably need to be run with at least the .Fl K option, to avoid .Xr keynote 4 policy checking. +The +.Nm +configuration itself is loaded at boot time +if the variable +.Va ipsec +is set to +.Dv YES +in +.Xr rc.conf.local 8 . +A utility called +.Xr ipsecctl 8 +is also available to load +.Nm +configurations, and can additionally be used +to view and modify IPsec flows. .Pp An alternative method of setting up SAs is also possible using manual keying. -Manual keying can be convenient for quick setups and testing. -These procedures are documented within this page. +Manual keying is not recommended, +but can be convenient for quick setups and testing. +Those procedures are documented within this page. +.Pp +.Nm +has the following format: .Pp Lines beginning with .Sq # diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8 index 9b86882f19e..a098173ce80 100644 --- a/sbin/ipsecctl/ipsecctl.8 +++ b/sbin/ipsecctl/ipsecctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecctl.8,v 1.22 2006/09/11 09:01:43 jmc Exp $ +.\" $OpenBSD: ipsecctl.8,v 1.23 2006/09/29 10:51:27 jmc Exp $ .\" .\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> .\" @@ -42,25 +42,6 @@ and establish tunnels using automatic keying with The ruleset grammar is described in .Xr ipsec.conf 5 . .Pp -When the variable -.Va ipsec -is set to -.Dv YES -in -.Xr rc.conf.local 8 , -the rule file specified with the variable -.Va ipsec_rules -(by default -.Pa /etc/ipsec.conf ) -is loaded automatically by the -.Xr rc 8 -scripts. -The keying daemon, -.Xr isakmpd 8 , -can also be enabled to run at boot time via the -.Va isakmpd_flags -variable. -.Pp The options are as follows: .Bl -tag -width Ds .It Fl D Ar macro Ns = Ns Ar value |