diff options
author | Kjell Wooding <kjell@cvs.openbsd.org> | 1999-07-07 06:21:05 +0000 |
---|---|---|
committer | Kjell Wooding <kjell@cvs.openbsd.org> | 1999-07-07 06:21:05 +0000 |
commit | 5ef0416431133ddf7645e5677f9773ca68c65c65 (patch) | |
tree | 4fd0d31d00c61a661e474329236870c7dfd0dff2 /share | |
parent | ccdd95a6bb27dc1fa796de134ee760d864438f07 (diff) |
Attempt to make photurisd limitations clearer.
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man8/vpn.8 | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 696983a88aa..6342713b43b 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.20 1999/07/07 04:18:01 kjell Exp $ +.\" $OpenBSD: vpn.8,v 1.21 1999/07/07 06:21:04 kjell Exp $ .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -67,10 +67,13 @@ manual (symmetric shared secret) .Xr photurisd 8 .El .Pp -At present VPNs between private networks must use manual keying. +At present VPNs between private (RFC 1597) networks must use +manual keying, as .Xr photurisd 8 -may only be used in situations where both -security gateways are within their protected network ranges. +can only be used if the IP address of the security gateway actually +falls within the range of addresses being tunnelled to. +This can clearly never occur if the addresses being tunnelled to +are non-routable private networks. .Ss Generating Manual Keys The shared secret symmetric keys used to create a VPN can be any hexadecimal value, so long as both sides of the connection use @@ -334,12 +337,11 @@ Photuris configuration file Firewall configuration file .El .Sh BUGS -When using .Xr photurisd 8 -in VPN mode, both of the security gateways IP addresses must fall within -their protected netranges. +can not be used in VPN mode unless both of the security gateway IP addresses +lie within the network ranges being tunnelled to. In situations where the gateway IP is outside the desired netrange, such -as with private networks (RFC 1597), manual keying must be used. +as with private (RFC 1597) networks, manual keying must be used. This should be fixed in the next release. .Sh SEE ALSO .Xr ipsec 4 , |