From 195e5c3f3fd7421fbb0836ce200e37754c53bc04 Mon Sep 17 00:00:00 2001 From: dlg Date: Fri, 30 Aug 2024 09:39:07 +0000 Subject: [PATCH] tweak the example to use veb instead of bridge. --- share/man/man4/etherip.4 | 91 ++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 50 deletions(-) diff --git a/share/man/man4/etherip.4 b/share/man/man4/etherip.4 index 7b2824ce196..db603735420 100644 --- a/share/man/man4/etherip.4 +++ b/share/man/man4/etherip.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: etherip.4,v 1.8 2024/08/30 08:37:59 dlg Exp $ +.\" $OpenBSD: etherip.4,v 1.9 2024/08/30 09:39:07 dlg Exp $ .\" .\" Copyright (c) 2015 YASUOKA Masahiko .\" @@ -79,97 +79,88 @@ in or .Xr iked.conf 5 . .Sh EXAMPLES -Given two physically separate Ethernet networks, a bridge can -be used as follows to make them appear as the same local area network. -If bridge1 on network1 has the external IP address 1.2.3.4 on em0, -bridge2 on network2 has the external IP address 4.3.2.1 on em0, and -both bridges have em1 on their internal network (network1 and network2, -respectively), the following configuration can be used to bridge -network1 and network2. +Given two physically separate Ethernet networks, +.Nm +can be used as follows to make them appear as the same local area +network. +If host gw1 has the external IP address 192.0.2.10 and is connected +to network1 on em1, and host gw2 has the external IP address +198.51.100.14 and is connected to network2 on ix1, the following +configuration can be used to bridge network1 and network2. +.Pp +First create the a bridge using a +.Xr veb 4 +interface, +adding the +.Nm +interface and internal Ethernet interface to the bridge. .Pp -First create the bridge interface, -adding the encapsulation interface and internal Ethernet interface -to the bridge interface: +On gw1: .Bd -literal -offset indent -# ifconfig bridge0 add etherip0 add em1 +gw1# ifconfig etherip0 create tunnel 192.0.2.10 198.51.100.14 +gw1# ifconfig veb0 create add etherip0 add em1 .Ed .Pp -Create and configure the etherip0 interface: +On gw2: .Bd -literal -offset indent -(on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1 -(on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4 +gw2# ifconfig etherip0 create tunnel 198.51.100.14 192.0.2.10 +gw2# ifconfig veb0 create add etherip0 add ix1 .Ed .Pp Create Security Associations (SAs) between the external IP address of each bridge and matching ingress flows by using the following .Xr ipsec.conf 5 -file on bridge1: +file on gw1: .Bd -literal -offset indent -esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e +esp from 198.51.100.14 to 192.0.2.10 spi 0x4242:0x4243 \e authkey file "auth1:auth2" enckey file "enc1:enc2" -flow esp proto etherip from 1.2.3.4 to 4.3.2.1 +flow esp proto etherip from 198.51.100.14 to 192.0.2.10 .Ed .Pp Now load these rules into the kernel by issuing the .Xr ipsecctl 8 command: .Bd -literal -offset indent -# ipsecctl -f ipsec.conf +gw1# ipsecctl -f ipsec.conf .Ed .Pp Appropriate .Xr ipsec.conf 5 -for bridge2: +for gw2: .Bd -literal -offset indent -esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e +esp from 198.51.100.14 to 192.0.2.10 spi 0x4243:0x4242 \e authkey file "auth2:auth1" enckey file "enc2:enc1" -flow esp proto etherip from 4.3.2.1 to 1.2.3.4 +flow esp proto etherip from 198.51.100.14 to 192.0.2.10 .Ed .Pp And load them: .Bd -literal -offset indent -# ipsecctl -f ipsec.conf +gw2# ipsecctl -f ipsec.conf .Ed .Pp -To use dynamic (as opposed to static) keying, -use this -.Xr ipsec.conf 5 -on bridge1: -.Bd -literal -offset indent -ike esp proto etherip from 1.2.3.4 to 4.3.2.1 -.Ed +Finally, bring all the interfaces up (if not already up). .Pp -And on bridge2: +On gw1: .Bd -literal -offset indent -ike esp proto etherip from 4.3.2.1 to 1.2.3.4 +gw1# ifconfig em1 up +gw1# ifconfig etherip0 up +gw1# ifconfig veb0 up .Ed .Pp -Bring up the internal interface (if not already up) and encapsulation -interface: +On gw2: .Bd -literal -offset indent -# ifconfig em1 up -# ifconfig etherip0 up +gw1# ifconfig ix1 up +gw1# ifconfig etherip0 up +gw1# ifconfig veb0 up .Ed -.Pp -Finally, bring the bridge interface up and allow it to start processing -frames: -.Pp -.Dl # ifconfig bridge0 up -.Pp -The internal interface on each bridge need not have an IP -address: the bridge can function without it. -.Pp -Note: It is possible to put the above commands in the -.Xr hostname.if 5 -files, using the -.Sq !\& -operator. .Sh SEE ALSO .Xr sysctl 2 , .Xr bridge 4 , .Xr inet 4 , .Xr inet6 4 , .Xr ipsec 4 , +.Xr tpmr 4 , +.Xr veb 4 , .Xr hostname.if 5 , .Xr iked.conf 5 , .Xr ipsec.conf 5 , -- 2.20.1