On Sat, Feb 22, 2020 at 12:26:01AM +0100, Klemens Nanni wrote: > On Fri, Feb 21, 2020 at 10:28:50PM +0000, Jason McIntyre wrote: > > it should be "a gre tunnel", not "an" > Sure, leftover from previous wording/reshuffling. > > > > +.Xr gre 4 > > > +tunnel from the local machine A to peer D using FQDN based public key > > > > probably s/the local machine A/local machine A/ (as you do for peer D) > > maybe "FQDN-based", since similar instances exist in this page: > Both reads better, thanks. > > > you should try to not split a sentence with a comma. if it's a list you > > can do: > I went with a semicolon. > > > OK?
I have a comment about the use of dstid inline, otherwise I think it's great you thought of documenting this use case. Thanks! > Index: iked.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.63 > diff -u -p -r1.63 iked.conf.5 > --- iked.conf.5 21 Feb 2020 15:17:34 -0000 1.63 > +++ iked.conf.5 21 Feb 2020 23:25:01 -0000 > @@ -990,6 +990,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID: This is not what dstid does. When setting 'dstid D.example.com' the policy still only applies if the peer sends 'D.example.com' as it's identity in the ID payload. Not setting dstid explicitly means iked will fall back to the value of "peer", which in your case would be the same: "D.example.com". Setting dstid is only necessary if you are using the IP address in the "peer" option but still want to use a FQDN as ID, which is really only the case with certificate authentication where the ID must match the subjectAltName. > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
