a rewrite of enc.4, hopefully a little more useful than what we previously

had; more can go in here, so feel free...

many thanks to ho for feedback, and angelos and cedric who i harangued
endlessly to explain nat/ipsec to me;

the ipsec.conf.5 change just moves some stuff more appropriate to enc.4;

ok hshoexer

1 files changed, 5 insertions, 17 deletions

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 2821997eca5..73ce74b8437 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.108 2006/12/06 09:54:15 jmc Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.109 2006/12/12 21:20:02 jmc Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -428,6 +428,10 @@ on the external interface.
 .It enc0
 Interface for outgoing traffic before it's been encapsulated,
 and incoming traffic after it's been decapsulated.
+State on this interface should be interface bound;
+see
+.Xr enc 4
+for further information.
 .It proto ipencap
 [tunnel mode only]
 IP-in-IP traffic flowing between gateways
@@ -472,22 +476,6 @@ pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
 .Ed
 .Pp
 .Xr pf 4
-is a stateful packet filter,
-which means it can track the state of a connection.
-It does this
-.Em automatically .
-States are normally
-.Em floating ,
-which means they can match packets on any interface.
-However this is a potential problem for filtering IPsec traffic:
-states need to be interface bound,
-to avoid permitting unencrypted traffic should
-.Xr isakmpd 8
-exit.
-Therefore all rules on the enc0 interface should explicitly set
-.Dq keep state (if-bound) .
-.Pp
-.Xr pf 4
 has the ability to filter IPsec-related packets
 based on an arbitrary
 .Em tag