describe how to set up a VPN.

2 files changed, 90 insertions, 2 deletions

diff --git a/share/man/man8/Makefile b/share/man/man8/Makefile
index 850ecbc48b9..6289934fe74 100644
--- a/share/man/man8/Makefile
+++ b/share/man/man8/Makefile
@@ -1,11 +1,11 @@
-#	$OpenBSD: Makefile,v 1.18 1998/02/09 21:58:21 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.19 1998/05/24 14:20:39 provos Exp $
 #	$NetBSD: Makefile,v 1.13 1996/03/28 21:36:40 mark Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/5/93
 
 MAN=	afterboot.8 compat_bsdos.8 compat_freebsd.8 compat_ibcs2.8 \
 	compat_linux.8 compat_sunos.8 \
 	compat_svr4.8 compat_ultrix.8 diskless.8 intro.8 rc.8 rc.conf.8 \
-	sticky.8 update.8 yp.8 boot_config.8
+	sticky.8 update.8 yp.8 boot_config.8 vpn.8
 SUBDIR=	man8.amiga man8.arm32 man8.atari man8.hp300 man8.i386 man8.mac68k \
 	man8.sparc man8.sun3 man8.vax
 
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
new file mode 100644
index 00000000000..2a40a52f62c
--- /dev/null
+++ b/share/man/man8/vpn.8
@@ -0,0 +1,88 @@
+.\" $OpenBSD: vpn.8,v 1.1 1998/05/24 14:20:40 provos Exp $
+.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Niels Provos.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd May 23, 1998
+.Dt VPN 8
+.Os
+.Sh NAME
+.Nm vpn
+.Nd configuring the system for virtual private networks
+.Sh DESCRIPTION
+A virtual private network is used to connect two or more subnets via the
+internet. For each subnet there is a security gateway which is connected
+via a cryptographically secured tunnel to the security gateway of the other
+subnet. In
+.Ox
+.Xr ipsec 4
+is used to provide the necessary cryptographical services. This document
+describes the configuration process for setting up a 
+.Nm VPN .
+.Pp
+Both subnets need to configure
+.Xr ipsec 4
+routes with the 
+.Xr ipsecadm 1 
+tool:
+.Pp
+On the security gateway of subnet A:
+.Bd -literal
+ipsecadm flow -dst gatewB -spi 1 -addr netA netAmask netB netBmask -local
+.Ed
+.Pp
+and on the security gateway of subnet B:
+.Bd -literal
+ipsecadm flow -dst gatewA -spi 1 -addr netB netBmask netA netAmask -local
+.Ed
+.Pp
+Additionally both security gateways need to start the
+.Xr photurisd 8
+key management daemon with the
+.Fl v
+flag and have to make sure that it is configured properly on both sides to 
+provide encryption and authentication.
+.Pp
+Now
+.Xr ipf 1
+needs to be configured that all packets from the outside are blocked.
+Only packets from the security gateways either on the
+.Pa enc0
+interface or 
+.Tn UDP
+packets with source and remote ports of 468
+should be allowed in.
+.Sh SEE ALSO
+.Xr ipf 1 ,
+.Xr rt 1 ,
+.Xr ipsec 4 ,
+.Xr photurisd 8 .
+.Sh HISTORY
+VPN support appeared first in
+.Ox 2.3 .