document -a/-K and "Acquire-Only"/"Use-Keynote".

ok markus@ henning@ ho@
english polish and mdoc help and ok jmc@

2 files changed, 50 insertions, 2 deletions

diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index 04ab081de3a..a2efb6011d9 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.63 2004/05/13 06:56:34 ho Exp $
+.\" $OpenBSD: isakmpd.8,v 1.64 2004/07/07 22:25:39 hshoexer Exp $
 .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.
@@ -42,6 +42,7 @@
 .Op Fl 4
 .Op Fl 6
 .Op Fl c Ar config-file
+.Op Fl a
 .Op Fl d
 .Op Fl D Ar class=level
 .Op Fl f Ar fifo
@@ -49,6 +50,7 @@
 .Op Fl n
 .Op Fl p Ar listen-port
 .Op Fl P Ar local-port
+.Op Fl K
 .Op Fl L
 .Op Fl l Ar packetlog-file
 .Op Fl r Ar seed
@@ -111,6 +113,17 @@ and/or
 .Nm
 will use.
 The default is to use both IPv4 and IPv6.
+.It Fl a
+If given,
+.Nm
+does not set up flows automatically.
+This is useful when flows are configured with
+.Xr ipsecadm 4
+or by other programs like
+.Xr bgpd 8 .
+Thus
+.Nm
+only takes care of the SA establishment.
 .It Fl c Ar config-file
 If given, the
 .Fl c
@@ -216,6 +229,17 @@ On the other hand, the port specified to capital
 .Fl P
 will be what the daemon binds its local end to when acting as
 initiator.
+.It Fl K
+When this option is given,
+.Nm
+does not read the policy configuration file and no
+.Xr keynote 4
+policy check is accomplished.
+This option can be used when policies for flows and SA establishment are
+arranged by other programs like
+.Xr ipsecadm 8
+or
+.Xr bgpd 8 .
 .It Fl L
 Enable IKE packet capture.
 When this option is given,
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index a0e638e967a..80087ccbd7e 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.91 2004/06/26 11:32:32 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.92 2004/07/07 22:25:39 hshoexer Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -158,6 +158,17 @@ If unspecified, the value 1200,60:86400 is used as the default.
 A list of phase 2 suites that will be used when establishing dynamic
 SAs.
 If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default.
+.It Em Acquire-Only
+If this tag is defined,
+.Nm isakmpd
+will not set up flows automatically.
+This is useful when flows are configured with
+.Xr ipsecadm 4
+or by other programs like
+.Xr bgpd 8 .
+Thus
+.Nm isakmpd
+only takes care of the SA establishment.
 .It Em Check-interval
 The interval between watchdog checks of connections we want up at all times.
 .It Em Exchange-max-time
@@ -229,6 +240,19 @@ and set up SAs with each other.
 Specifically this means replay
 protection will not be asked for, and errors that can occur when
 updating an SA with its parameters a 2nd time will be ignored.
+.It Em Use-Keynote
+This tag controls the use of
+.Xr keynote 4
+policy checking.
+The default value is
+.Qq yes ,
+which enables the policy checking.
+When set to any other value, policies will not be checked.
+This is useful when policies for flows and SA establishment are arragned by
+other programs like
+.Xr ipsecadm 8
+or
+.Xr bgpd 8 .
 .El
 .It Em Phase 1
 ISAKMP SA negotiation parameter root