have a go at documenting the Interface config statement.

im not really happy with this, but it's a start.

man pages: add missing commas between subordinate and main clauses

jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.

ok jmc@

remove please from manual pages
ok jmc@ sthen@ millert@

Clarify that ANY can be used for several parameters of IPsec transform.

ok jmc sthen

Document how to avoid isakmpd(8) source IP address pitfalls by using
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used w

Document how to avoid isakmpd(8) source IP address pitfalls by using
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@

show more ...

Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.

ok visa@, markus@

Hyphenate compound adjectives 'up-to-date', 'out-of-date' and 'well-known'
if they precede the noun and omit hyphens otherwise.

ok tj

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and q

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

show more ...

Arguments are just ".Ar", not ".Brq Ar" or even ".Ns { Ns Ar ... Ns }".
The .Ar macro already causes distinctive formatting in a standard way,
so there is no need for additional braces.
This also fix

Arguments are just ".Ar", not ".Brq Ar" or even ".Ns { Ns Ar ... Ns }".
The .Ar macro already causes distinctive formatting in a standard way,
so there is no need for additional braces.
This also fixes the only mandoc warning in src/sbin.

show more ...

Use .Lk for HTTP hyperlinks, not .Pa.
Most of the patch from Arto Jonsson <ajonsson at kapsi dot fi>.
jmc@ agrees in principle that .Lk is the right macro to use.

While here, update a few broken lin

Use .Lk for HTTP hyperlinks, not .Pa.
Most of the patch from Arto Jonsson <ajonsson at kapsi dot fi>.
jmc@ agrees in principle that .Lk is the right macro to use.

While here, update a few broken links,
and add missing markup at a few places.

show more ...

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

Use a common text explaining how the various configuration parsers using
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are h

Use a common text explaining how the various configuration parsers using
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).

Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.

show more ...

Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).

Thoroughly tested by me and naddy. Works fine with Linux.

Require

Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMAC
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).

Thoroughly tested by me and naddy. Works fine with Linux.

Requires updated pfkeyv2.h include file.

ok naddy

show more ...

make clearer the relationship between isakmpd and ikev1; and iked and ikev2;
ok reyk

Define default configurations for AES-192 and AES-256. From Mitja Muzenic
<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks. This should have gone in months ag

Define default configurations for AES-192 and AES-256. From Mitja Muzenic
<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks. This should have gone in months ago but I was slacking,
sorry for that.

show more ...

convert to new .Dd format;

Get rid of some obsolete exampels.

ok and prodding @jmc

Fix usage of predefined lifetimes. "Default-phase-[12]-lifetime"
just specifies the values to be used. However, the specifications
are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE".

ok ho@ jmc@

tweak;

Document NULL encryption.

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
i

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

show more ...

Remove "Delete-SAs" config option. This was needed for interaction
with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA
deletion so this option is obsolete.

ok mpf jmc

Make SA deletion on shutdown the default again. Use -S for failover
situations where you do not want this.

Discussed and agreed on with ho, mcbride, markus, cloder,... We
will have to teach sasync

Make SA deletion on shutdown the default again. Use -S for failover
situations where you do not want this.

Discussed and agreed on with ho, mcbride, markus, cloder,... We
will have to teach sasyncd to deal with this.

Testing by msf and hshoexer with help from mtu

ok markus cloder

show more ...

Document AESCTR for quick mode and SHA2-* for main mode. Help by jmc.

ok jmc@

tweaks;