Re: PATCH: clarifying iked.conf man
On Mon, Apr 20, 2015 at 07:35:58PM +0059, Jason McIntyre wrote: On Wed, Apr 15, 2015 at 05:13:13PM +0200, Vincent Gross wrote: Hello, iked.conf's man page is a bit fuzzy on how local and peer ip defaults are set. This patch below attempts to fix that. Also, can you take a look at my previous nat-on-ipsec-on-iked patchset ? see http://marc.info/?l=openbsd-techm=142662971007779w=2 Cheers, Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.38 diff -u -p -r1.38 iked.conf.5 --- iked.conf.5 28 Feb 2015 21:51:57 - 1.38 +++ iked.conf.5 15 Apr 2015 15:02:21 - @@ -334,23 +334,21 @@ see the file .It Ic local Ar localip Ic peer Ar remote The .Ic local -parameter specifies the address or FQDN of the local endpoint. -Unless the gateway is multi-homed or uses address aliases, -this option is generally not needed. -.Pp -The +and .Ic peer -parameter specifies the address or FQDN of the remote endpoint. -For host-to-host connections where +parameters specify the address or FQDN of the local and remote +endpoints respectively. +If neither are specified, their default values are equal to +.Ar src +and .Ar dst -is identical to -.Ar remote , -this option is generally not needed as it will be set to -.Ar dst -automatically. -If it is not specified or if the keyword -.Ar any -is given, the default peer is used. +for +.Ar localip +and +.Ar remote +respectively. When only one is specified, the other +defaults to +.Ar any . .It Xo .Ic ikesa .Ic auth Ar algorithm if you can specify one and have the other default to any, i agree we'd want to document it. for the rest, the diff essentially removes the information about when these options might be useful and needed. i'm less sure about that. i'd appreciate some feedback from a developer that the content is correct. i'm less inclined to rearrange the page this way without good reason. also note for future man diffs to start new sentences on new lines. jmc sorry, but i cannot get any feedback on this. i'm dropping it. jmc
Re: PATCH: clarifying iked.conf man
On Mon, Apr 20, 2015 at 07:35:58PM +0059, Jason McIntyre wrote:
On Wed, Apr 15, 2015 at 05:13:13PM +0200, Vincent Gross wrote:
Hello,
iked.conf's man page is a bit fuzzy on how local and peer ip defaults
are set. This patch below attempts to fix that.
if you can specify one and have the other default to any, i agree we'd
want to document it.
for the rest, the diff essentially removes the information about when
these options might be useful and needed. i'm less sure about that.
i'd appreciate some feedback from a developer that the content is
correct.
i'm less inclined to rearrange the page this way without good reason.
also note for future man diffs to start new sentences on new lines.
I took a second look at parse.y, and found it would choke on configs
like this one :
ikev2 active esp \
from 10.0.1.0/24 to 172.16.0.1 local 10.0.1.1 \
srcid 'client.lan' dstid 'gateway.lan'
To get this config to work you would need to add peer 172.16.0.1.
It would be more logical to default local to src and peer to dst when
having only one traffic selector, and both to any otherwise.
The diff below changes how defaults are set for peer and local, and
reflects the change in iked.conf(5).
Comments ? Suggestions ?
--- parse.y.origFri May 1 15:10:51 2015
+++ parse.y Fri May 1 17:08:51 2015
@@ -2482,25 +2482,21 @@
if (peers) {
if (peers-src)
ipa = peers-src;
+ else if (hosts-src hosts-src-next == NULL)
+ ipa = hosts-src;
if (peers-dst)
ipb = peers-dst;
- if (ipa == NULL ipb == NULL) {
- if (hosts-src hosts-src-next == NULL)
- ipa = hosts-src;
- if (hosts-dst hosts-dst-next == NULL)
- ipb = hosts-dst;
- }
+ else if (hosts-dst hosts-dst-next == NULL)
+ ipb = hosts-dst;
}
if (ipa == NULL ipb == NULL) {
yyerror(could not get local/peer specification);
return (-1);
}
- if (pol.pol_flags IKED_POLICY_ACTIVE) {
- if (ipb == NULL || ipb-netaddress ||
- (ipa != NULL ipa-netaddress)) {
- yyerror(active mode requires local/peer address);
+ if ((pol.pol_flags IKED_POLICY_ACTIVE)
+ (ipb == NULL || ipb-netaddress)) {
+ yyerror(active mode requires peer host address);
return (-1);
- }
}
if (ipa) {
memcpy(pol.pol_local.addr, ipa-address,
--- iked.conf.5 28 Feb 2015 21:51:57 - 1.38
+++ iked.conf.5 1 May 2015 15:12:44 -
@@ -341,16 +341,24 @@ this option is generally not needed.
The
.Ic peer
parameter specifies the address or FQDN of the remote endpoint.
-For host-to-host connections where
+For single-traffic-selector host-to-host connections where
.Ar dst
is identical to
.Ar remote ,
this option is generally not needed as it will be set to
.Ar dst
automatically.
-If it is not specified or if the keyword
-.Ar any
-is given, the default peer is used.
+.Pp
+When the policy contains only one traffic selector,
+.Ic local
+and
+.Ic peer
+default values are
+.Ar src
+and
+.Ar dst
+respectively. Otherwise they both default to
+.Ar any .
.It Xo
.Ic ikesa
.Ic auth Ar algorithm
Re: PATCH: clarifying iked.conf man
On Wed, Apr 15, 2015 at 05:13:13PM +0200, Vincent Gross wrote: Hello, iked.conf's man page is a bit fuzzy on how local and peer ip defaults are set. This patch below attempts to fix that. Also, can you take a look at my previous nat-on-ipsec-on-iked patchset ? see http://marc.info/?l=openbsd-techm=142662971007779w=2 Cheers, Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.38 diff -u -p -r1.38 iked.conf.5 --- iked.conf.5 28 Feb 2015 21:51:57 - 1.38 +++ iked.conf.5 15 Apr 2015 15:02:21 - @@ -334,23 +334,21 @@ see the file .It Ic local Ar localip Ic peer Ar remote The .Ic local -parameter specifies the address or FQDN of the local endpoint. -Unless the gateway is multi-homed or uses address aliases, -this option is generally not needed. -.Pp -The +and .Ic peer -parameter specifies the address or FQDN of the remote endpoint. -For host-to-host connections where +parameters specify the address or FQDN of the local and remote +endpoints respectively. +If neither are specified, their default values are equal to +.Ar src +and .Ar dst -is identical to -.Ar remote , -this option is generally not needed as it will be set to -.Ar dst -automatically. -If it is not specified or if the keyword -.Ar any -is given, the default peer is used. +for +.Ar localip +and +.Ar remote +respectively. When only one is specified, the other +defaults to +.Ar any . .It Xo .Ic ikesa .Ic auth Ar algorithm if you can specify one and have the other default to any, i agree we'd want to document it. for the rest, the diff essentially removes the information about when these options might be useful and needed. i'm less sure about that. i'd appreciate some feedback from a developer that the content is correct. i'm less inclined to rearrange the page this way without good reason. also note for future man diffs to start new sentences on new lines. jmc
PATCH: clarifying iked.conf man
Hello, iked.conf's man page is a bit fuzzy on how local and peer ip defaults are set. This patch below attempts to fix that. Also, can you take a look at my previous nat-on-ipsec-on-iked patchset ? see http://marc.info/?l=openbsd-techm=142662971007779w=2 Cheers, Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.38 diff -u -p -r1.38 iked.conf.5 --- iked.conf.5 28 Feb 2015 21:51:57 - 1.38 +++ iked.conf.5 15 Apr 2015 15:02:21 - @@ -334,23 +334,21 @@ see the file .It Ic local Ar localip Ic peer Ar remote The .Ic local -parameter specifies the address or FQDN of the local endpoint. -Unless the gateway is multi-homed or uses address aliases, -this option is generally not needed. -.Pp -The +and .Ic peer -parameter specifies the address or FQDN of the remote endpoint. -For host-to-host connections where +parameters specify the address or FQDN of the local and remote +endpoints respectively. +If neither are specified, their default values are equal to +.Ar src +and .Ar dst -is identical to -.Ar remote , -this option is generally not needed as it will be set to -.Ar dst -automatically. -If it is not specified or if the keyword -.Ar any -is given, the default peer is used. +for +.Ar localip +and +.Ar remote +respectively. When only one is specified, the other +defaults to +.Ar any . .It Xo .Ic ikesa .Ic auth Ar algorithm
