On 2020/07/15 10:02, Theo de Raadt wrote: > It is extremely unwise to use DNS names at this level (or things which > look like DNS names). The same problems that pf has with DNS, are > present here. You really don't want people to get into this habit.
Same in gre(4) config which needs addresses too. I agree. > > +.Pp > > +This example encrypts a > > +.Xr gre 4 > > +tunnel from local machine A to peer D using FQDN-based public key > > +authentication. > > +.Ar transport > > +mode is used to avoid duplicate encapsulation of GRE; The inside encapsulation of IPsec tunnel mode is gif not gre, so it isn't duplicate gre encap. "transport mode is used to avoid double encapsulation" would do? > > +.Ar dstid > > +is set explicitly to the peer's FQDN such that its public key is looked up > > even > > +if the peer does not send its FQDN as peer ID: > > +.Bd -literal -offset indent > > +ikev2 transport \e > > + proto gre \e > > + from A.example.com to D.example.com \e > > + peer D.example.com \e > > + dstid D.example.com > > +.Ed > > .Sh SEE ALSO > > .Xr enc 4 , > > .Xr ipsec 4 , > > >
