Document how to avoid isakmpd(8) source IP address pitfalls by using

the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@

1 files changed, 12 insertions, 3 deletions

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 44b675ef0c2..77eecc19d00 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.154 2017/11/23 20:49:38 jmc Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.155 2018/04/17 12:13:29 stsp Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 23 2017 $
+.Dd $Mdocdate: April 17 2018 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -288,7 +288,16 @@ The
 .Ic local
 parameter specifies the address or FQDN of the local endpoint.
 Unless we are multi-homed or have aliases,
-this option is generally not needed.
+this parameter is generally not needed.
+This parameter does not affect the set of IP addresses
+.Xr isakmpd 8
+will listen on and send packets from.
+The
+.Em Listen-on
+directive in
+.Xr isakmpd.conf 5
+should additionally be used to ensure that the local endpoint will
+send IKE messages with an appropriate source IP address.
 .Pp
 The
 .Ic peer