summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>1998-06-02 09:18:34 +0000
committerNiels Provos <provos@cvs.openbsd.org>1998-06-02 09:18:34 +0000
commit36440bfa00f86412831629c5141993177db97911 (patch)
tree0f1737a7e0eff57ee9fa6d4f9d9aa58d60dcff1e /share
parente0f986c2e01c3c1d5103521802474f4d52df08ed (diff)
add sample ipf configuration
Diffstat (limited to 'share')
-rw-r--r--share/man/man8/vpn.828
1 files changed, 24 insertions, 4 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index c2a45a407b8..4d1e61ff6a8 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.2 1998/05/24 23:26:42 provos Exp $
+.\" $OpenBSD: vpn.8,v 1.3 1998/06/02 09:18:33 provos Exp $
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -78,11 +78,31 @@ interface or
.Tn UDP
packets with source and remote ports of 468
should be allowed in.
+.Pp
+The ipf rules for a tunnel which only uses ESP on security gateway A
+might look like this:
+.Bd -literal
+# ed0 is the only interface going to the outside.
+block in log on ed0 from any to any
+block out log on ed0 from any to any
+block in log on enc0 from any to any
+
+# Passing in encrypted traffic from security gateways
+pass in proto sipp-esp from gatewB to gatewA
+pass out proto sipp-esp from gatewA to gatewB
+
+# Passing in traffic from the designated subnets.
+pass in on enc0 from netB/netBmask to netA/netAmask
+
+# Passing in Photuris traffic from the security gateways
+pass in on ed0 proto udp from gatewB/32 port = 468 to gatewA/32 port = 468
+pass out on ed0 proto udp from gatewA/32 port = 468 to gatewB/32 port = 468
+.Ed
+.Pp
+If there are no more ipf rules the quick clause can be added to the last
+three rules.
.Sh SEE ALSO
.Xr ipf 1 ,
.Xr ipsecadm 1 ,
.Xr ipsec 4 ,
.Xr photurisd 8 .
-.Sh HISTORY
-VPN support appeared first in
-.Ox 2.3 .