diff options
Diffstat (limited to 'share/man')
| -rw-r--r-- | share/man/man4/ipsec.4 | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index 73b0a6df53a..4fb374f1410 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.4,v 1.41 2001/06/22 12:15:45 mpech Exp $ +.\" $OpenBSD: ipsec.4,v 1.42 2001/06/25 03:30:23 provos Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -275,31 +275,31 @@ which can be used in packet filters to specify those packets that have been or will be processed by .Tn IPsec. .Pp -.\" .Xr ipnat 8 -.\" can also be applied to -.\" .Nm enc# -.\" interfaces, but special care should be taken because of the interactions -.\" between NAT and the IPsec flow matching, especially on the packet output path. -.\" Inside the TCP/IP stack, packets go through the following stages: -.\" .Bd -literal -offset indent -.\" UL/R -> [X] -> IPF/NAT(enc0) -> IPSec -> IPF/NAT(IF) -> IF -.\" UL/R <-------- IPF/NAT(enc0) <- IPSec -> IPF/NAT(IF) <- IF -.\" .Ed -.\" .Pp -.\" With -.\" .Tn IF -.\" being the real interface and -.\" .Tn UL/R -.\" the Upper Layer or Routing code. -.\" The -.\" .Tn [X] -.\" Stage on the output path represents the point where the packet -.\" is matched against the IPsec flow database (SPD) to determine if and how -.\" the packet has to be IPsec-processed. If, at this point, it is determined -.\" that the packet should be IPSec-processed, it is processed by the IPF/NAT code. -.\" Unless IPF drops the packet, it will then be IPsec-processed, even if the -.\" packet has been modified by NAT. -.\" .Pp +.Xr ipnat 8 +can also be applied to +.Nm enc# +interfaces, but special care should be taken because of the interactions +between NAT and the IPsec flow matching, especially on the packet output path. +Inside the TCP/IP stack, packets go through the following stages: +.Bd -literal -offset indent +UL/R -> [X] -> IPF/NAT(enc0) -> IPSec -> IPF/NAT(IF) -> IF +UL/R <-------- IPF/NAT(enc0) <- IPSec -> IPF/NAT(IF) <- IF +.Ed +.Pp +With +.Tn IF +being the real interface and +.Tn UL/R +the Upper Layer or Routing code. +The +.Tn [X] +Stage on the output path represents the point where the packet +is matched against the IPsec flow database (SPD) to determine if and how +the packet has to be IPsec-processed. If, at this point, it is determined +that the packet should be IPSec-processed, it is processed by the IPF/NAT code. +Unless IPF drops the packet, it will then be IPsec-processed, even if the +packet has been modified by NAT. +.Pp Security Associations can be set up manually with the .Xr ipsecadm 8 utility or automatically with the |