summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2006-09-29 10:51:28 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2006-09-29 10:51:28 +0000
commit12a1af1da6d5e0f93539d7d6c8838476493c0d29 (patch)
treec109d63b576df4bfdee653b5276817023061ac3c /sbin/ipsecctl
parent2899cbc5a564056b607117cfa1b715f75335bf91 (diff)
make it clearer what needs to be run, and how; push manual keying down
the list; move the rc stuff from ipsecctl to ipsec.conf; ok hshoexer
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r--sbin/ipsecctl/ipsec.conf.540
-rw-r--r--sbin/ipsecctl/ipsecctl.821
2 files changed, 31 insertions, 30 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index de7ceb1af4d..d3f31793d19 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.99 2006/09/26 22:03:44 jmc Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.100 2006/09/29 10:51:27 jmc Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -50,9 +50,6 @@ are established,
which detail how the desired protection will be achieved.
IPsec uses flows
to determine whether to apply security services to an IP packet or not.
-Flows and SAs can be loaded, viewed, and modified using the
-.Xr ipsecctl 8
-utility.
.Pp
Generally speaking
an automated keying daemon,
@@ -75,19 +72,42 @@ section of
.Xr isakmpd 8
for information on the types of authentication available,
and the procedures for setting them up.
-After that it's simply a case of running the daemon.
-Note that
-.Xr isakmpd 8
-will probably need to be run with at least the
+.Pp
+The keying daemon,
+.Xr isakmpd 8 ,
+can be enabled to run at boot time via the
+.Va isakmpd_flags
+variable in
+.Xr rc.conf.local 8 .
+Note that it will probably need to be run with at least the
.Fl K
option, to avoid
.Xr keynote 4
policy checking.
+The
+.Nm
+configuration itself is loaded at boot time
+if the variable
+.Va ipsec
+is set to
+.Dv YES
+in
+.Xr rc.conf.local 8 .
+A utility called
+.Xr ipsecctl 8
+is also available to load
+.Nm
+configurations, and can additionally be used
+to view and modify IPsec flows.
.Pp
An alternative method of setting up SAs is also possible using
manual keying.
-Manual keying can be convenient for quick setups and testing.
-These procedures are documented within this page.
+Manual keying is not recommended,
+but can be convenient for quick setups and testing.
+Those procedures are documented within this page.
+.Pp
+.Nm
+has the following format:
.Pp
Lines beginning with
.Sq #
diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8
index 9b86882f19e..a098173ce80 100644
--- a/sbin/ipsecctl/ipsecctl.8
+++ b/sbin/ipsecctl/ipsecctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecctl.8,v 1.22 2006/09/11 09:01:43 jmc Exp $
+.\" $OpenBSD: ipsecctl.8,v 1.23 2006/09/29 10:51:27 jmc Exp $
.\"
.\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
.\"
@@ -42,25 +42,6 @@ and establish tunnels using automatic keying with
The ruleset grammar is described in
.Xr ipsec.conf 5 .
.Pp
-When the variable
-.Va ipsec
-is set to
-.Dv YES
-in
-.Xr rc.conf.local 8 ,
-the rule file specified with the variable
-.Va ipsec_rules
-(by default
-.Pa /etc/ipsec.conf )
-is loaded automatically by the
-.Xr rc 8
-scripts.
-The keying daemon,
-.Xr isakmpd 8 ,
-can also be enabled to run at boot time via the
-.Va isakmpd_flags
-variable.
-.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl D Ar macro Ns = Ns Ar value