diff options
Diffstat (limited to 'sbin/brconfig/brconfig.8')
| -rw-r--r-- | sbin/brconfig/brconfig.8 | 56 |
1 files changed, 42 insertions, 14 deletions
diff --git a/sbin/brconfig/brconfig.8 b/sbin/brconfig/brconfig.8 index 9fde45312a1..d2c579fd3d8 100644 --- a/sbin/brconfig/brconfig.8 +++ b/sbin/brconfig/brconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: brconfig.8,v 1.54 2006/05/26 04:02:59 deraadt Exp $ +.\" $OpenBSD: brconfig.8,v 1.55 2006/05/27 19:37:24 hshoexer Exp $ .\" .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -188,7 +188,8 @@ Setting this flag causes all packets to be passed on to for processing, based on the policies established by the administrator using the .Xr ipsecctl 8 -command. +command and +.Xr ipsec.conf 5 . If appropriate security associations (SAs) exist, they will be used to encrypt or decrypt the packets. Otherwise, any key management daemons such as @@ -359,7 +360,7 @@ between the two bridges. To only protect the bridge traffic between the two bridges, the transport protocol 97 (etherip) selector may be used in -.Xr ipsecctl 8 +.Xr ipsec.conf 5 or .Xr isakmpd 8 . Otherwise, the Ethernet frames will be sent in the clear between the @@ -387,21 +388,48 @@ Create and configure the gif0 interface: .Ed .Pp Create Security Associations (SAs) between the external IP address of each -bridge: +bridge and matching ingress flows by using the following +.Xr ipsec.conf 5 +file on bridge1: +.Bd -literal -offset indent +esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e + authkey file "auth1:auth2" enckey file "enc1:enc2" +flow esp proto etherip from 1.2.3.4 to 4.3.2.1 +.Ed +.Pp +Now load these rules into the kernel by issuing the +.Xr ipsecctl 8 +command: +.Bd -literal -offset indent + # ipsecctl -f ipsec.conf +.Ed +.Pp +Apropriate +.Xr ipsec.conf 5 +for bridge2: +.Bd -literal -offset indent +esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e + authkey file "auth2:auth1" enckey file "enc2:enc1" +flow esp proto etherip from 4.3.2.1 to 1.2.3.4 +.Ed +.Pp +And load them: +.Bd -literal -offset indent + # ipsecctl -f ipsec.conf +.Ed +.Pp +To use +.Xr isakmpd 8 +use this +.Xr ipsec.conf 5 +on bridge1: .Bd -literal -offset indent -# ipsecadm new esp -spi 4242 -dst 4.3.2.1 -src 1.2.3.4 -enc 3des \e - -auth md5 -keyfile keyfile1 -authkeyfile authkeyfile1 -# ipsecadm new esp -spi 4243 -dst 1.2.3.4 -src 4.3.2.1 -enc 3des \e - -auth md5 -keyfile keyfile2 -authkeyfile authkeyfile2 +ike esp proto etherip from 1.2.3.4 to 4.3.2.1 .Ed .Pp -Set up ingress flows so that traffic is allowed between the two bridges -for the above associations: +And that one on bridge2: .Bd -literal -offset indent -(on bridge1) # ipsecadm flow -dst 4.3.2.1 -out \e - -transport etherip -require -addr 1.2.3.4/32 4.3.2.1/32 -(on bridge2) # ipsecadm flow -dst 1.2.3.4 -out \e - -transport etherip -require -addr 4.3.2.1/32 1.2.3.4/32 +ike esp proto etherip from 4.3.2.1. to 1.2.3.4 .Ed .Pp Bring up the internal interface (if not already up) and encapsulation |