On Thu, Jul 16, 2020 at 10:23:20AM +0100, Stuart Henderson wrote: > On 2020/07/15 10:02, Theo de Raadt wrote: > > It is extremely unwise to use DNS names at this level (or things which > > look like DNS names). The same problems that pf has with DNS, are > > present here. You really don't want people to get into this habit. > > Same in gre(4) config which needs addresses too. I agree. Alright, using literal IPs.
> > > +.Pp > > > +This example encrypts a > > > +.Xr gre 4 > > > +tunnel from local machine A to peer D using FQDN-based public key > > > +authentication. > > > +.Ar transport > > > +mode is used to avoid duplicate encapsulation of GRE; > > The inside encapsulation of IPsec tunnel mode is gif not gre, so it > isn't duplicate gre encap. "transport mode is used to avoid double > encapsulation" would do? Right, I didn't mean "twice GRE" but rather "twice encap": your wording is clearer, thanks. dstid omitted as requested by tobhe. OK? Index: iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 iked.conf.5 --- iked.conf.5 10 Jul 2020 21:23:47 -0000 1.71 +++ iked.conf.5 16 Jul 2020 12:59:13 -0000 @@ -1014,6 +1014,19 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 .Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on +FQDN-based public key authentication; +.Ar transport +mode is used to avoid double encapsulation: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from 2001:db8::aa:1 to 2001:db8::dd:4 \e + peer D.example.com +.Ed .Sh SEE ALSO .Xr enc 4 , .Xr ipsec 4 ,
