Hosting Provided By

documentation/2893: ipsecadm flow description is wrong in faq13

From: <sturm(at)sec.informatik.tu-darmstadt.de>
Date: Tue Aug 20 2002 - 05:38:29 EDT

>Number: 2893
>Category: documentation
>Synopsis: in faq13 flowbuilding with ipsecadm is wrong
>Confidential: no
net
>Environment:

	System      : OpenBSD 3.1
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

The description of setting up the flows with ipsecadm in 13.6 is wrong as the syntax of ipsecadm seems to have changed. The option -spi xxx is not in the manpage for ipsecadm flow and does not work either.

>How-To-Repeat:

>Fix:

For the example host-host setup the following diff should fix the doc. The fix for the subnet example should be equivalent, but as I am not sure whether I understand that example, I won't include a diff. If anyone is interested in verifying one, send me a mail, and I will change that section, too.

faq13.html.orig Tue Aug 20 11:03:07 2002 +++ faq13.html Tue Aug 20 11:18:44 2002 @@ -434,6 +434,15 @@ Now that you have your Security Associations in place, set up your flows. +<ul> +<tt> +# ipsecadm flow -proto esp -dst PEER_EXTERNAL_IP -addr MY_EXTERNAL_IP +MY_EXTERNAL_NETMASK PEER_EXTERNAL_IP PEER_EXTERNAL_NETMASK -out -require +# ipsecadm flow -proto esp -dst MY_EXTERNAL_IP -addr MY_EXTERNAL_IP +MY_EXTERNAL_NETMASK PEER_EXTERNAL_IP PEER_EXTERNAL_NETMASK -in -require +</tt> +</ul> + On 192.168.5.1: So, right here, two flows will be created, one the local source address, which covers all packets originating from the local host @@ -441,14 +450,18 @@ host. <ul> <tt> -# ipsecadm flow -proto esp -dst 192.168.25.9 -spi 1000 --addr 192.168.5.1 255.255.255.255 192.168.25.9 255.255.255.255 +# ipsecadm flow -proto esp -dst 192.168.5.1 -addr 192.168.5.1/32 +192.168.25.9/32 -in -require +# ipsecadm flow -proto esp -dst 192.168.25.9 -addr 192.168.5.1/32 +192.168.25.9/32 -out -require </tt></ul> On 192.168.25.9: <ul> <tt> -# ipsecadm flow -proto esp -dst 192.168.5.1 -spi 1001 --addr 192.168.25.9 255.255.255.255 192.168.5.1 255.255.255.255 +# ipsecadm flow -proto esp -dst 192.168.25.9 -addr 192.168.25.9/32 +192.168.5.1/32 -in -require +# ipsecadm flow -proto esp -dst 192.168.5.1 -addr 192.168.25.9/32 +192.168.5.1/32 -out -require </tt></ul> If you want less overhead on your Host-to-Host VPNs, creating the SPI

>Release-Note:
<synopsis of the problem (one line)> Received on Thu Nov 7 16:21:15 2002

This message: [ Message body ]
Next message: Michael Shalayeff: "Re: pending/2861"
Previous message: Moritz Jodeit: "library/2895: libpcap fix"
In reply to veins(at)skreel.org: "user/2846: ftpd - cant open passive connection: cant assign requested address."
Reply: pwillia(at)scnc.chelsea.k12.mi.us: "documentation/3111: documentation for ports(7) on current"
Reply: Jesper Louis Andersen: "documentation/3270: PF BNF grammar has errors (or so it seems)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:37 EDT