[Openswan Users] Question on the Docs

Nick Howitt n1ck.h0w1tt at gmail.com
Sat Oct 10 06:06:32 EDT 2009 

I've tried a fresh install of 2.6.23 and in /usr/share/doc/openswan all 
I get is:

index.html
ipsec.8.html
ipsec_addconn.8.html
ipsec_addrbytesof.3.html
ipsec_addrbytesptr.3.html
ipsec_addrcmp.3.html
ipsec_addrinsubnet.3.html
ipsec_addrlenof.3.html
ipsec_addrtoa.3.html
ipsec_addrtosubnet.3.html
ipsec_addrtot.3.html
ipsec_addrtypeof.3.html
ipsec_anyaddr.3.html
ipsec_atoaddr.3.html
ipsec_atoasr.3.html
ipsec_atosubnet.3.html
ipsec_atoul.3.html
ipsec_auto.8.html
ipsec_barf.8.html
ipsec_bitstomask.3.html
ipsec_broadcastof.3.html
ipsec__confread.8.html
ipsec.conf-sample
ipsec__copyright.8.html
ipsec_copyright_notice.3.html
ipsec_eroute.5.html
ipsec_eroute.8.html
ipsec_goodmask.3.html
ipsec_hostof.3.html
ipsec_ikeping.8.html
ipsec__include.8.html
ipsec_initaddr.3.html
ipsec_initsaid.3.html
ipsec_initsubnet.3.html
ipsec_isanyaddr.3.html
ipsec_isloopbackaddr.3.html
ipsec_isunspecaddr.3.html
ipsec_keyblobtoid.3.html
ipsec__keycensor.8.html
ipsec_klipsdebug.5.html
ipsec_klipsdebug.8.html
ipsec_livetest.8.html
ipsec_look.8.html
ipsec_loopbackaddr.3.html
ipsec_lwdnsq.8.html
ipsec_mailkey.8.html
ipsec_manual.8.html
ipsec_maskof.3.html
ipsec_masktobits.3.html
ipsec_masktocount.3.html
ipsec_networkof.3.html
ipsec_newhostkey.8.html
ipsec_optionsfrom.3.html
ipsec_pf_key.5.html
ipsec_pf_key.8.html
ipsec_pluto.8.html
ipsec__plutoload.8.html
ipsec__plutorun.8.html
ipsec_portof.3.html
ipsec_prng.3.html
ipsec_prng_bytes.3.html
ipsec_prng_final.3.html
ipsec_prng_init.3.html
ipsec_ranbits.8.html
ipsec_rangetoa.3.html
ipsec_rangetosubnet.3.html
ipsec_readwriteconf.8.html
ipsec__realsetup.8.html
ipsec_rsasigkey.8.html
ipsec_sameaddr.3.html
ipsec_sameaddrtype.3.html
ipsec_samesaid.3.html
ipsec_samesubnet.3.html
ipsec_samesubnettype.3.html
ipsec_satot.3.html
ipsec__secretcensor.8.html
ipsec.secrets.5.html
ipsec_secrets.8.html
ipsec_set_policy.3.html
ipsec_setportof.3.html
ipsec_setup.8.html
ipsec_showdefaults.8.html
ipsec_showhostkey.8.html
ipsec_showpolicy.8.html
ipsec_sockaddrlenof.3.html
ipsec_sockaddrof.3.html
ipsec_spi.5.html
ipsec_spi.8.html
ipsec_spigrp.5.html
ipsec_spigrp.8.html
ipsec__startklips.8.html
ipsec__startnetkey.8.html
ipsec_strerror.3.html
ipsec_subnetinsubnet.3.html
ipsec_subnetishost.3.html
ipsec_subnetof.3.html
ipsec_subnettoa.3.html
ipsec_subnettot.3.html
ipsec_subnettypeof.3.html
ipsec_tnatoaddr.3.html
ipsec_tncfg.5.html
ipsec_tncfg.8.html
ipsec_trap_count.5.html
ipsec_trap_sendcount.5.html
ipsec_ttoaddr.3.html
ipsec_ttodata.3.html
ipsec_ttosa.3.html
ipsec_ttosubnet.3.html
ipsec_ttoul.3.html
ipsec_unspecaddr.3.html
ipsec__updown.8.html
ipsec__updown.klips.8.html
ipsec__updown.mast.8.html
ipsec__updown.netkey.8.html
ipsec_verify.8.html
ipsec_version.3.html
ipsec_version.5.html
ipsec_version_code.3.html
ipsec_version_string.3.html

If I download 2.6.26, un-tar it and make programs,  in 
openswan-2.6.23\OBJ.linux.i386\programs\_confread I can see 
ipsec.conf.5. If I then make install,  in 
openswan-2.6.23\programs\_confread I can see ipsec.conf.5.xml but I 
cannot find the files post-install.

If I do  make install > /usr/src/makeinstalllog, I see three lines in 
the console which, presumably, are errors:
Writing ipsec_pluto.8 for refentry(pluto8)
Writing ipsec.secrets.5 for refentry
Writing ipsec.conf.5 for refentry

Presumably the html man page I was looking at is from an older install.

If I type man ipsec.conf, all I get for dpdaction is:

        dpdaction
           When a DPD enabled peer is declared dead, what action should be
           taken.  hold (default) means the eroute will be put into %hold
           status, while clear means the eroute and SA with both be cleared.
           dpdaction=clear is really only usefull on the server of a Road
           Warrior config.

This is even older!

Regards,

Nick

On 09/10/2009 22:34, Paul Wouters wrote:
> On Fri, 9 Oct 2009, Nick Howitt wrote:
>
>>
>> I've seen a number of messages which refer to documentation such as a
>> recent one from Diego Rivera where he says " From the docs, it smells
>> like restart is a subset of restart_by_peer.......". My question is
>> "which docs"? I have looked through all the html docs in
>> /usr/share/doc/openswan/...... and the only mention of DPD is in
>> ipsec.conf(5) which does not mention the option restart_by_peer for
>> dpdaction, so there must be some other documentation somewhere, but 
>> where?
>
> It does in my copy of ipsec.conf(5)
>
>       dpdaction
>            When a DPD enabled peer is declared dead, what action 
> should be
>            taken.  hold (default) means the eroute will be put into %hold
>            status, while clear means the eroute and SA with both be 
> cleared.
>            restart means the the SA will immediately be renegotiated, and
>            restart_by_peer means that ALL SA´s to the dead peer will
>            renegotiated.
>
>
>> BTW, there is an error with the DPD documentation in ipsec.conf(5). If
>> you use dpddelay, dpdtimeout is now mandatory and vice-versa. The conn
>> will fail to load with an error message if only one of the options is
>> present.
>
> Thanks. I just fixed it in git, will be in the next release.
>
> Paul

More information about the Users mailing list