make it clearer what needs to be run, and how; push manual keying down

the list; move the rc stuff from ipsecctl to ipsec.conf;

ok hshoexer

2 files changed, 31 insertions, 30 deletions

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index de7ceb1af4d..d3f31793d19 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.99 2006/09/26 22:03:44 jmc Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.100 2006/09/29 10:51:27 jmc Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -50,9 +50,6 @@ are established,
 which detail how the desired protection will be achieved.
 IPsec uses flows
 to determine whether to apply security services to an IP packet or not.
-Flows and SAs can be loaded, viewed, and modified using the
-.Xr ipsecctl 8
-utility.
 .Pp
 Generally speaking
 an automated keying daemon,
@@ -75,19 +72,42 @@ section of
 .Xr isakmpd 8
 for information on the types of authentication available,
 and the procedures for setting them up.
-After that it's simply a case of running the daemon.
-Note that
-.Xr isakmpd 8
-will probably need to be run with at least the
+.Pp
+The keying daemon,
+.Xr isakmpd 8 ,
+can be enabled to run at boot time via the
+.Va isakmpd_flags
+variable in
+.Xr rc.conf.local 8 .
+Note that it will probably need to be run with at least the
 .Fl K
 option, to avoid
 .Xr keynote 4
 policy checking.
+The
+.Nm
+configuration itself is loaded at boot time
+if the variable
+.Va ipsec
+is set to
+.Dv YES
+in
+.Xr rc.conf.local 8 .
+A utility called
+.Xr ipsecctl 8
+is also available to load
+.Nm
+configurations, and can additionally be used
+to view and modify IPsec flows.
 .Pp
 An alternative method of setting up SAs is also possible using
 manual keying.
-Manual keying can be convenient for quick setups and testing.
-These procedures are documented within this page.
+Manual keying is not recommended,
+but can be convenient for quick setups and testing.
+Those procedures are documented within this page.
+.Pp
+.Nm
+has the following format:
 .Pp
 Lines beginning with
 .Sq #
diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8
index 9b86882f19e..a098173ce80 100644
--- a/sbin/ipsecctl/ipsecctl.8
+++ b/sbin/ipsecctl/ipsecctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsecctl.8,v 1.22 2006/09/11 09:01:43 jmc Exp $
+.\"	$OpenBSD: ipsecctl.8,v 1.23 2006/09/29 10:51:27 jmc Exp $
 .\"
 .\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
 .\"
@@ -42,25 +42,6 @@ and establish tunnels using automatic keying with
 The ruleset grammar is described in
 .Xr ipsec.conf 5 .
 .Pp
-When the variable
-.Va ipsec
-is set to
-.Dv YES
-in
-.Xr rc.conf.local 8 ,
-the rule file specified with the variable
-.Va ipsec_rules
-(by default
-.Pa /etc/ipsec.conf )
-is loaded automatically by the
-.Xr rc 8
-scripts.
-The keying daemon,
-.Xr isakmpd 8 ,
-can also be enabled to run at boot time via the
-.Va isakmpd_flags
-variable.
-.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl D Ar macro Ns = Ns Ar value