summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2005-04-27 14:22:28 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2005-04-27 14:22:28 +0000
commitcaa7cf17b79eec11c9747937704c9e2664c7a895 (patch)
tree02b97500398af89af92aea4b879d198bb41cf37f /share/man
parenta500a93662b012503331d9b6fd5e7f10a7494b6f (diff)
some improvements from markus@ and ho@;
ok hshoexer@
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man8/vpn.814
1 files changed, 9 insertions, 5 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 0f7990fa70b..c495f5fcc10 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.101 2005/04/23 08:40:52 jmc Exp $
+.\" $OpenBSD: vpn.8,v 1.102 2005/04/27 14:22:27 jmc Exp $
.\"
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -102,6 +102,11 @@ On machine B:
For all other (non-test) cases,
.Xr ifconfig 8
should be used to configure machines as normal.
+.Pp
+Additionally, the GATEWAY_* and NETWORK_* variables used in the
+following sections are defined below in
+.Sx Configuring Firewall Rules .
+Please see that section for the correct values for these variables.
.Ss Enabling Packet Forwarding
For security gateways, proper operation often requires packet
forwarding to be enabled using
@@ -240,8 +245,7 @@ On the security gateway of subnet B:
-addr $NETWORK_A $NETWORK_B
.Ed
.Ss Configuring the Keying Daemon [automated keying]
-Unless manual keying is used, both security gateways need to start
-the
+Unless manual keying is used, both security gateways need to use the
.Xr isakmpd 8
key management daemon.
.Xr isakmpd 8
@@ -476,7 +480,7 @@ pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
# Need to allow ipencap traffic on enc0.
-pass in on enc0 proto ipencap all
+pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A
# Passing in traffic from the designated subnets.
pass in on enc0 from $NETWORK_B to $NETWORK_A
@@ -509,7 +513,7 @@ pass in proto esp from $GATEWAY_A to $GATEWAY_B
pass out proto esp from $GATEWAY_B to $GATEWAY_A
# Need to allow ipencap traffic on enc0.
-pass in on enc0 proto ipencap all
+pass in on enc0 proto ipencap from $GATEWAY_A to $GATEWAY_B
# Passing in traffic from the designated subnets.
pass in on enc0 from $NETWORK_A to $NETWORK_B