On Wed, Jul 15, 2020 at 05:34:31PM +0200, Klemens Nanni wrote: > Here's an addition to EXAMPLES for one of my frequent use cases that > finally "just works". > > First transport mode for child SAs was implemented, then a few > interoperability issues have been identified with peers other than iked, > now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. > > Feedback? OK? > > Index: iked.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.71 > diff -u -p -r1.71 iked.conf.5 > --- iked.conf.5 10 Jul 2020 21:23:47 -0000 1.71 > +++ iked.conf.5 12 Jul 2020 14:32:00 -0000 > @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID:
I don't like the part about dstid. The only effect of explicitly setting dstid here should be that the policy *only* matches hosts that send this ID value. The key is looked up based on the received ID value. This just makes sure both are the same (D.example.com). Otherwise the diff looks ok. > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
