From c8a08efdd5666b707a7ac996549f761c2f763d03 Mon Sep 17 00:00:00 2001 From: Jason McIntyre Date: Thu, 14 Apr 2005 09:10:13 +0000 Subject: we already have a section on configuring firewall rules, so refer to it in EXAMPLES rather than reproducing info (and confusing people); make the firewall section of manual and automatic keying the same; this also fixes an issue reported by steve murdoch back in november, that parts of vpn(8) were repeating themselves; sorry to take so long to fix this, steve; --- share/man/man8/vpn.8 | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) (limited to 'share/man/man8') diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index cc09628300c..be9ec6f8b0e 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.82 2005/04/14 08:46:16 jmc Exp $ +.\" $OpenBSD: vpn.8,v 1.83 2005/04/14 09:10:12 jmc Exp $ .\" .\" Copyright 1998 Niels Provos .\" All rights reserved. @@ -313,7 +313,7 @@ GATEWAY_B = "192.168.2.1" NETWORK_A = "10.0.50.0/24" NETWORK_B = "10.0.99.0/24" -(rest of ruleset) +(rest of ruleset per Configuring Firewall Rules, above) .Ed .It Configure the firewall rules on machine B, modifying the @@ -324,7 +324,7 @@ GATEWAY_B = "192.168.1.254" NETWORK_A = "10.0.99.0/24" NETWORK_B = "10.0.50.0/24" -(rest of ruleset) +(rest of ruleset, modified as appropriate) .Ed .El .Ss Automated keying @@ -498,31 +498,26 @@ Conditions: app_domain == "IPsec policy" && esp_enc_alg != "null" -> "true"; .Ed .It -Configure the firewall rules on machines A and B: -.Pp -Use the same ruleset as the manual keying example, but add permission -for the -.Xr isakmpd 8 -control traffic, on -.Tn UDP -port 500. -.Pp -For machineA, add: +Configure the firewall rules on machine A +using the previously defined ruleset: .Bd -literal -offset indent -# Permit ISAKMPD control traffic between A and B -pass in proto udp from 192.168.2.1 to 192.168.1.254 \e - port = 500 -pass out proto udp from 192.168.1.254 to 192.168.2.1 \e - port = 500 +GATEWAY_A = "192.168.1.254" +GATEWAY_B = "192.168.2.1" +NETWORK_A = "10.0.50.0/24" +NETWORK_B = "10.0.99.0/24" + +(rest of ruleset per Configuring Firewall Rules, above) .Ed -.Pp -For machineB, add: +.It +Configure the firewall rules on machine B, modifying the +definitions as appropriate: .Bd -literal -offset indent -# Permit ISAKMPD control traffic between A and B -pass in proto udp from 192.168.1.254 to 192.168.2.1 \e - port = 500 -pass out proto udp from 192.168.2.1 to 192.168.1.254 \e - port = 500 +GATEWAY_A = "192.168.2.1" +GATEWAY_B = "192.168.1.254" +NETWORK_A = "10.0.99.0/24" +NETWORK_B = "10.0.50.0/24" + +(rest of ruleset, modified as appropriate) .Ed .It Start -- cgit v1.2.3