On Fri, Feb 21, 2020 at 11:12:24PM +0100, Klemens Nanni wrote:
> tobhe recently committed transport mode support, so here's an example
> that hopefully providea good starting point for users wanting to set up
> encrypted tunnels.
>
> Feedback? OK?
>
hi. feedback inline.
>
> Index: iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.63
> diff -u -p -r1.63 iked.conf.5
> --- iked.conf.5 21 Feb 2020 15:17:34 -0000 1.63
> +++ iked.conf.5 21 Feb 2020 22:07:03 -0000
> @@ -990,6 +990,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1
> ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2
> ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3
> .Ed
> +.Pp
> +This example encrypts an
it should be "a gre tunnel", not "an"
> +.Xr gre 4
> +tunnel from the local machine A to peer D using FQDN based public key
probably s/the local machine A/local machine A/ (as you do for peer D)
maybe "FQDN-based", since similar instances exist in this page:
supports user-based authentication by tunneling the Extensible
required to support different challenge-based EAP methods like
or to support queue-based bandwidth control,
authentication and additional challenge-based EAP-MSCHAPv2 password
> +authentication.
> +.Ar transport
> +mode is used to avoid duplicate encapsulation of GRE,
> +.Ar dstid
> +is set explicitly to the peer's FQDN such that its public key is looked up
> even
> +if the peer does not send its FQDN as peer ID:
you should try to not split a sentence with a comma. if it's a list you
can do:
one, two, and three
but with two things you want a semi-colon, a joining word (to get
technical), or to start a new sentence. i guess i'd go with a semi-colon
in this case (it's a logical joining).
> +.Bd -literal -offset indent
> +ikev2 transport \e
> + proto gre \e
> + from A.example.com to D.example.com \e
> + peer D.example.com \e
> + dstid D.example.com
> +.Ed
> .Sh SEE ALSO
> .Xr enc 4 ,
> .Xr ipsec 4 ,
>
otherwise reads ok./
jmc
