diff options
| author | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-04-14 10:34:24 +0000 |
|---|---|---|
| committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-04-14 10:34:24 +0000 |
| commit | eafa624f46551272141373350a458681a3641c0f (patch) | |
| tree | f0d46d5c3f8157ab6fbb333540080f41705f74af /share/man/man8 | |
| parent | 8f2a4f9d7e6cda2615350dbfa1497d9ebd6c2c5a (diff) | |
- example policy files are identical for machines A and B, so combine
into one step
- mention necessary permissions for isakmpd.policy
- document these permissions are needed because of sensitive information,
not just because of shared secrets: isakmpd.policy need not contain a
shared secret
- remove useless .Pp
agreed w/ hshoexer@
Diffstat (limited to 'share/man/man8')
| -rw-r--r-- | share/man/man8/vpn.8 | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 0c7d7aa5664..6e93b749757 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.85 2005/04/14 10:04:04 jmc Exp $ +.\" $OpenBSD: vpn.8,v 1.86 2005/04/14 10:34:23 jmc Exp $ .\" .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -470,26 +470,14 @@ Note that the shared secret (the .Em Authentication tag) must match between machineA and machineB. .Pp -Due to the shared secret information in the configuration file, it must -be installed without any permissions for "group" or "other". +Due to the sensitive information contained in the configuration file, +it must be installed without any permissions for "group" or "other". .Pp .Dl # chmod og-rwx /etc/isakmpd/isakmpd.conf -.Pp .It Create a simple .Pa /etc/isakmpd/isakmpd.policy -file for machineA: -.Bd -literal -offset indent -Keynote-version: 2 -Authorizer: "POLICY" -Conditions: app_domain == "IPsec policy" && - esp_present == "yes" && - esp_enc_alg != "null" -> "true"; -.Ed -.It -Create a simple -.Pa /etc/isakmpd/isakmpd.policy -file for machineB: +file for both machine A and machine B (identical): .Bd -literal -offset indent Keynote-version: 2 Authorizer: "POLICY" @@ -497,6 +485,11 @@ Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; .Ed +.Pp +Due to the sensitive information contained in the policy file, +it must be installed without any permissions for "group" or "other". +.Pp +.Dl # chmod og-rwx /etc/isakmpd/isakmpd.policy .It Configure the firewall rules on machine A using the previously defined ruleset: |