[src/trunk]: src/share/man/man4 correct description on ipsec AH twist.

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e2fc5c661ae9
branches:  trunk
changeset: 485150:e2fc5c661ae9
user:      itojun <itojun%NetBSD.org@localhost>
date:      Thu Apr 20 14:24:43 2000 +0000

description:
correct description on ipsec AH twist.

diffstat:

 share/man/man4/ipsec.4 |  12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diffs (26 lines):

diff -r 3c5da3853d96 -r e2fc5c661ae9 share/man/man4/ipsec.4
--- a/share/man/man4/ipsec.4    Thu Apr 20 14:04:04 2000 +0000
+++ b/share/man/man4/ipsec.4    Thu Apr 20 14:24:43 2000 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ipsec.4,v 1.5 2000/04/20 08:08:33 itojun Exp $
+.\"    $NetBSD: ipsec.4,v 1.6 2000/04/20 14:24:43 itojun Exp $
 .\"    $KAME: ipsec.4,v 1.7 2000/04/20 08:01:41 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -231,8 +231,14 @@
 so the policy engine API described herein is just for KAME implementation.
 .Pp
 AH tunnel may not work as you might expect.
-Packets will be exchanged just fine, however,
-policy engine will not consider the encapsulated packet to be authentic.
+If you configure
+.Dq require
+policy against AH tunnel for inbound, tunnelled packets will be rejected.
+This is because AH authenticates encapsulating
+.Pq outer
+packet, not the encapsulated
+.Pq inner
+packet.
 .\"
 .Sh HISTORY
 The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.