Bugs in IPSEC Section of Handbook

[Loren M. Lang]

I recently was reading the handbook on setting up a VPN using IPSec and
I believe I've found a couple of bugs in the handbook.  The following
line is used to enable IPSec over the IP in IP tunnel:

spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \
esp/tunnel/A.B.C.D-W.X.Y.Z/require

When I changed esp to ah, I was able to monitor the actual communication
and I noticed that this caused an IP in IP in AH in IP tunnel instead of
just IP in AH in IP.  I think the line should read:

spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \
esp/transport//require

This seemed to generate the correct result when I was sniffing it with
the AH protocol so I'm assuming it's the same situation with ESP.  I
think using the tunnel keyword is for a shortcut to setting up a gif
tunnel which was already done and the ip address insides // should be
the outer addresses where the first set of ip addresses is what is
getting tunneled.

Also, I needed to add the line gif_interfaces="gif0" to rc.conf, but
this seems to be omitted from the manual.  The last problem was with the
line for the vpn static route:

route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"

The netmask keyword should not be there so the line reads:

route_vpn="192.168.2.0 192.168.2.1 0xffffff00"

The handbook mentions AH which could be used with ESP, but does not say
how.  I think it would be convient for a quick example to be added like
the following:

spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec \
esp/transport//require ah/transport//require;

I had to do a little research to figure out how to wrap then
appropriately.
-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C