Changes in 37d7831: backport (cosmetic) changes from wiki-ng

Other.md

...	...	@@ -19,7 +19,7 @@
19	19	- RetroShare can be run as a darknet (friend-to-friend) by default to perform anonymous file transfers if DHT and Discovery features are disabled.
20	20	- GNUnet is a darknet if the "F2F (network) topology" option is enabled.
21	21	- Syndie is software used to publish distributed forums over the anonymous networks of I2P, Tor and Freenet.
22		-OneSwarm can be run as a darknet for friend-to-friend file-sharing.
	22	+- OneSwarm can be run as a darknet for friend-to-friend file-sharing.
23	23	- Tribler can be run as a darknet for file-sharing.
24	24
25	25	## BGP Routed IP

howto/Bird.md

...	...	@@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
26	26
27	27	## IPv6
28	28
29		-```
	29	+```conf
30	30	#/etc/bird/bird6.conf
31	31	protocol device {
32	32	scan time 10;
...	...	@@ -96,7 +96,7 @@ template bgp dnpeers {
96	96	include "/etc/bird/peers6/*";
97	97	```
98	98
99		-```
	99	+```conf
100	100	# /etc/bird/local6.conf
101	101	# should be a unique identifier, use same id as for ipv4
102	102	router id <GATEWAY_IP>;
...	...	@@ -115,7 +115,7 @@ function is_valid_network() {
115	115	}
116	116	```
117	117
118		-```
	118	+```conf
119	119	# /etc/bird/peers6/<PEER_NAME>
120	120	protocol bgp <PEER_NAME> from dnpeers {
121	121	neighbor <PEERING_IP> as <PEER_AS>;
...	...	@@ -126,7 +126,7 @@ protocol bgp <PEER_NAME> from dnpeers {
126	126
127	127	### IPv4
128	128
129		-```
	129	+```conf
130	130	# /etc/bird/bird.conf
131	131	# Device status
132	132	protocol device {
...	...	@@ -205,7 +205,7 @@ template bgp dnpeers {
205	205	include "/etc/bird/peers4/*";
206	206	```
207	207
208		-```
	208	+```conf
209	209	#/etc/bird/local4.conf
210	210	# should be a unique identifier, <GATEWAY_IP> is what most people use.
211	211	router id <GATEWAY_IP>;
...	...	@@ -232,7 +232,7 @@ function is_valid_network() {
232	232	}
233	233	```
234	234
235		-```
	235	+```conf
236	236	# /etc/bird/peers4/<PEER_NAME>
237	237	protocol bgp <PEER_NAME> from dnpeers {
238	238	neighbor <PEERING_IP> as <PEER_AS>;
...	...	@@ -276,27 +276,27 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are
276	276
277	277	You can add cron entries to periodically update the tables:
278	278
279		-```
	279	+```conf
280	280	/15 * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
281	281	/15 * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
282	282	```
283	283
284	284	Debian version:
285	285
286		-```
	286	+```conf
287	287	/15 * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
288	288	/15 * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
289	289	```
290	290
291	291	then create the directory to make sure curls can save the files:
292	292
293		-```
	293	+```sh
294	294	mkdir -p /var/lib/bird/
295	295	```
296	296
297	297	Or use a systemd timer: (check the commands before copy-pasting)
298	298
299		-```
	299	+```conf
300	300	# /etc/systemd/system/dn42-roa.service
301	301	[Unit]
302	302	Description=Update DN42 ROA
...	...	@@ -308,7 +308,7 @@ ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.con
308	308	ExecStart=birdc configure
309	309	```
310	310
311		-```
	311	+```conf
312	312	# /etc/systemd/system/dn42-roa.timer
313	313	[Unit]
314	314	Description=Update DN42 ROA periodically
...	...	@@ -328,26 +328,28 @@ then enable and start the timer with `systemctl enable --now dn42-roa.timer`.
328	328
329	329	* Download gortr
330	330
331		-`https://github.com/cloudflare/gortr/releases`
	331	+<https://github.com/cloudflare/gortr/releases>
332	332
333	333	* Run gortr.
334	334
335		-```
	335	+```sh
336	336	./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
337	337	```
338	338
339	339
340	340	* Run with docker
341	341
342		-`docker pull cloudflare/gortr`
343		-
	342	+```sh
	343	+docker pull cloudflare/gortr
344	344	```
	345	+
	346	+```sh
345	347	docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
346	348	```
347	349
348	350	* Add this to your bird configure file,other ROA protocol must removed.
349	351
350		-```
	352	+```conf
351	353	protocol rpki rpki_dn42{
352	354	roa4 { table dn42_roa; };
353	355	roa6 { table dn42_roa_v6; };
...	...	@@ -364,7 +366,7 @@ protocol rpki rpki_dn42{
364	366
365	367	In your import filter add the following to reject invalid routes:
366	368
367		-```
	369	+```conf
368	370	if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
369	371	print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
370	372	reject;
...	...	@@ -373,7 +375,7 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
373	375
374	376	Also, define your ROA table with:
375	377
376		-```
	378	+```conf
377	379	roa table dn42_roa {
378	380	include "/var/lib/bird/bird_roa_dn42.conf";
379	381	};
...	...	@@ -386,7 +388,7 @@ roa table dn42_roa {
386	388
387	389	bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
388	390
389		-```
	391	+```sh
390	392	$ birdc
391	393	BIRD 1.4.5 ready.
392	394	bird> configure # reload configuration

howto/Bird2.md

...	...	@@ -26,7 +26,7 @@ When copying the configuration below onto your system, you will have to enter th
26	26	* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
27	27	* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
28	28
29		-```
	29	+```conf
30	30	################################################
31	31	# Variable header #
32	32	################################################
...	...	@@ -182,7 +182,7 @@ The example config above relies on ROA configuration files in `/etc/bird/roa_dn4
182	182
183	183	To use an RTR server for ROA information, replace this config in your bird2 configuration file:
184	184
185		-```
	185	+```conf
186	186	protocol static {
187	187	roa4 { table dn42_roa; };
188	188	include "/etc/bird/roa_dn42.conf";
...	...	@@ -196,7 +196,7 @@ protocol static {
196	196
197	197	... with this one (by changing address and port so it points to your RTR server)
198	198
199		-```
	199	+```conf
200	200	protocol rpki roa_dn42 {
201	201	roa4 { table dn42_roa; };
202	202	roa6 { table dn42_roa_v6; };
...	...	@@ -228,7 +228,7 @@ Please note: This section assumes that you've already got a tunnel to your peeri
228	228
229	229	First, make sure the /etc/bird/peers directory exists:
230	230
231		-```
	231	+```sh
232	232	# mkdir -p /etc/bird/peers
233	233	```
234	234
...	...	@@ -246,4 +246,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
246	246	}
247	247	```
248	248
249		-Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
	249	+Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended)

howto/EMail.md

...	...	@@ -11,14 +11,14 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
11	11
12	12	\| Handle \| Alias \| Redirection \|
13	13	\|:------------ \|:-------------- \|:--------------------- \|
14		-\| `STV0G-DN42` \| [email protected] \| [email protected]` \|
	14	+\| `STV0G-DN42` \| [email protected] \| `[email protected]` \|
15	15
16	16	## Test email
17	17
18	18	~~Send an email to `[email protected]` to check if your mail setup is correct.~~ This host will reply using the following
19	19	sieve filter:
20	20
21		-```
	21	+```conf
22	22	require ["regex", "variables", "vacation-seconds"];
23	23	if header :contains "To" ["[email protected]"] {
24	24	if header :matches "Subject" "*" {
...	...	@@ -41,31 +41,35 @@ This is controlled by the `ignore_target_hosts` variable in the configuration fi
41	41	### Receiving emails
42	42
43	43	Don't forget to add your dn42 domains to the list of local domains, so that you accept incoming emails. On Debian, it is controlled by `dc_other_hostnames` in `update-exim4.conf.conf`. For instance:
44		-
45		- dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
46		-
	44	+```conf
	45	+dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
	46	+```
47	47
48	48	## Postfix
49	49
50	50	### Sending Mails
51	51	If your machine sends/receives Mails in "clearnet" with specific bound IP's you need to create an additional transport in master.cf
52	52
53		- out_dn42 unix - - n - - smtp
54		- -o smtp_bind_address=172.23.67.1
55		- -o smtp_bind_address6=fd70:96c9:ef25::1
56		- -o smtp_helo_name=ns1.mhm.dn42
57		- -o syslog_name=postfix-dn42
	53	+```conf
	54	+out_dn42 unix - - n - - smtp
	55	+ -o smtp_bind_address=172.23.67.1
	56	+ -o smtp_bind_address6=fd70:96c9:ef25::1
	57	+ -o smtp_helo_name=ns1.mhm.dn42
	58	+ -o syslog_name=postfix-dn42
	59	+```
58	60
59	61	and add this transport to /etc/postfix/transport for dn42 (and dont forget to postmap)
60	62
61		- .dn42 out_dn42:
	63	+```
	64	+.dn42 out_dn42:
	65	+```
62	66
63	67	This should to the trick for sending mails via your DN42-IP
64	68
65	69	If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
66	70	This can circumvent certain rdns configuration failure or in case you use rbl lists:
67	71
68		-```
	72	+```conf
69	73	smtpd_recipient_restrictions = permit_mynetworks,
70	74	permit_sasl_authenticated,
71	75	check_client_access cidr:/etc/postfix/dn42.cidr,
...	...	@@ -74,14 +78,14 @@ smtpd_recipient_restrictions = permit_mynetworks,
74	78	permit
75	79	```
76	80
77		-```
	81	+```conf
78	82	#/etc/postfix/dn42.cidr
79	83	172.16.0.0/12 OK
80	84	10.0.0.0/8 OK
81	85	fc00::/7 OK
82	86	```
83	87
84		-```
	88	+```sh
85	89	$ postmap /etc/postfix/dn42.cidr
86	90	```
87	91

howto/EdgeOS-Config-Example.md

...	...	@@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
20	20
21	21	# Configuration
22	22
23		-```
	23	+```conf
24	24	firewall {
25	25	all-ping enable
26	26	broadcast-ping disable

howto/EdgeOS-GRE-IPsec-Example.md

...	...	@@ -12,16 +12,20 @@ This configuration assumes that both peers have static public IPs.
12	12
13	13	You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
14	14
15		- ryan@edge1:~$ generate vpn rsa-key bits 4096
16		- ryan@edge1:~$ show vpn ike rsa-keys
	15	+```sh
	16	+ryan@edge1:~$ generate vpn rsa-key bits 4096
	17	+ryan@edge1:~$ show vpn ike rsa-keys
17	18
18		- Local public key (/config/ipsec.d/rsa-keys/localhost.key):
	19	+Local public key (/config/ipsec.d/rsa-keys/localhost.key):
	20	+
	21	+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	22	+```
19	23
20		- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
21	24	If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
22	25
23	26	## Configuration
24	27
	28	+```conf
25	29	firewall {
26	30	all-ping enable
27	31	broadcast-ping disable
...	...	@@ -499,3 +503,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
499	503	interface eth0
500	504	}
501	505	}
	506	+```

howto/GRE-on-FreeBSD.md

...	...	@@ -21,7 +21,7 @@ ifconfig gre$INDEX descr $DESCR
21	21
22	22	Add this to your `rc.conf`.
23	23
24		-```
	24	+```conf
25	25	cloned_interfaces="$cloned_interfaces gre0"
26	26	ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
27	27	```

howto/GRE-on-OpenBSD.md

...	...	@@ -9,7 +9,7 @@ Let `fd42::` and `fd42::1` be the IPs of A and D respectively where both are
9	9
10	10	## pseudo interface
11	11	Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
12		-```
	12	+```conf
13	13	tunnel A.example.com D.example.net
14	14	inet6 fd42::/127
15	15	```
...	...	@@ -21,7 +21,7 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
21	21
22	22	## miscellaneous
23	23	Populate `/etc/sysctl.conf` with:
24		-```
	24	+```conf
25	25	net.inet.gre.allow=1
26	26	```
27	27	Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.

howto/Getting-Started.md

...	...	@@ -67,7 +67,7 @@ Common authentication methods are:
67	67	- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
68	68
69	69	Example: data/mntner/FOO-MNT
70		-```
	70	+```conf
71	71	mntner: FOO-MNT
72	72	admin-c: FOO-DN42
73	73	tech-c: FOO-DN42
...	...	@@ -93,7 +93,7 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
93	93
94	94
95	95	Example: data/person/FOO-DN42
96		-```
	96	+```conf
97	97	person: John Doe
98	98	e-mail: [email protected]
99	99	nic-hdl: FOO-DN42
...	...	@@ -116,7 +116,7 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
116	116	- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
117	117
118	118	Example: data/organisation/ORG-EXAMPLE
119		-```
	119	+```conf
120	120	organisation: ORG-FOO
121	121	org-name: Foo Organisation
122	122	admin-c: FOO-DN42
...	...	@@ -153,7 +153,7 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
153	153	If unsure, ask on the mailing list or IRC.
154	154
155	155	Example: data/aut-num/AS4242423999
156		-```
	156	+```conf
157	157	aut-num: AS4242423999
158	158	as-name: AS-FOO-DN42
159	159	admin-c: FOO-DN42
...	...	@@ -179,7 +179,7 @@ A few websites can generate random ULA prefixes for you:
179	179	or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
180	180
181	181	example: data/inet6num/fd35:4992:6a6d::_48
182		-```
	182	+```conf
183	183	inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
184	184	cidr: fd35:4992:6a6d::/48
185	185	netname: FOO-NETWORK
...	...	@@ -223,7 +223,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
223	223	Note: Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
224	224
225	225	example: data/inetnum/172.20.150.0_27
226		-```
	226	+```conf
227	227	inetnum: 172.20.150.0 - 172.20.150.31
228	228	cidr: 172.20.150.0/27
229	229	netname: FOO-NETWORK
...	...	@@ -241,7 +241,7 @@ source: DN42
241	241	If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
242	242
243	243	example: data/route6/fd35:4992:6a6d::_48
244		-```
	244	+```conf
245	245	route6: fd35:4992:6a6d::/48
246	246	origin: AS4242423999
247	247	max-length: 48
...	...	@@ -250,7 +250,7 @@ source: DN42
250	250	```
251	251
252	252	example data/route/172.20.150.0_27:
253		-```
	253	+```conf
254	254	route: 172.20.150.0/27
255	255	origin: AS4242423999
256	256	max-length: 27
...	...	@@ -266,7 +266,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
266	266	Domain names and nserver attributes must be lowercase.
267	267
268	268	example: data/dns/foo.dn42
269		-```
	269	+```conf
270	270	domain: foo.dn42
271	271	admin-c: FOO-DN42
272	272	tech-c: FOO-DN42
...	...	@@ -280,13 +280,13 @@ source: DN42
280	280
281	281	You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
282	282
283		-```
	283	+```conf
284	284	ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
285	285	```
286	286
287	287	For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
288	288
289		-```
	289	+```conf
290	290	inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
291	291	cidr: fd35:4992:6a6d::/48
292	292	netname: FOO-NETWORK

howto/IPsec-on-FreeBSD.md

...	...	@@ -10,9 +10,9 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
10	10	## Kernel configuration
11	11	The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12	12	If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13		-```
14		- options IPSEC #IP security
15		- device crypto
	13	+```conf
	14	+options IPSEC #IP security
	15	+device crypto
16	16	```
17	17	Reboot into your new kernel.
18	18
...	...	@@ -20,7 +20,7 @@ Reboot into your new kernel.
20	20
21	21	Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22	22	Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23		-```
	23	+```conf
24	24	path pre_shared_key "/usr/local/etc/racoon/psk";
25	25	path certificate "/usr/local/etc/racoon/certs";
26	26	log info;

howto/IPsecWithPublicKeys/CiscoIOSExample.md

...	...	@@ -5,37 +5,43 @@ _Note: You may already have completed this step, since it's required to enable S
5	5
6	6	1. Configure a hostname and domain name.
7	7
8		- Router#conf t
9		- Router(config)#hostname foo
10		- foo(config)#ip domain-name bar
	8	+```
	9	+Router#conf t
	10	+Router(config)#hostname foo
	11	+foo(config)#ip domain-name bar
	12	+```
11	13
12	14	2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
13	15
14		- foo(config)#crypto key generate rsa general-keys modulus 2048
15		- % The key modulus size is 2048 bits
16		- % Generating 2048 bit RSA keys, keys will be non-exportable...
17		- foo(config)#exit
	16	+```
	17	+foo(config)#crypto key generate rsa general-keys modulus 2048
	18	+% The key modulus size is 2048 bits
	19	+% Generating 2048 bit RSA keys, keys will be non-exportable...
	20	+foo(config)#exit
	21	+```
18	22
19	23	### Exchange public keys with your peer
20	24	1. Display the public key. Send the key data portion to your peer.
21	25
22		- foo#show crypto key mypubkey rsa foo.bar
23		- % Key pair was generated at: 19:24:02 UTC Jul 19 2014
24		- Key name: foo.bar
25		- Storage Device: not specified
26		- Usage: General Purpose Key
27		- Key is not exportable.
28		- Key Data:
29		- 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
30		- 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
31		- 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
32		- FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
33		- CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
34		- D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
35		- 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
36		- C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
37		- F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
38		- 8F020301 0001
	26	+```
	27	+foo#show crypto key mypubkey rsa foo.bar
	28	+% Key pair was generated at: 19:24:02 UTC Jul 19 2014
	29	+Key name: foo.bar
	30	+Storage Device: not specified
	31	+Usage: General Purpose Key
	32	+Key is not exportable.
	33	+Key Data:
	34	+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
	35	+ 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
	36	+ 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
	37	+ FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
	38	+ CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
	39	+ D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
	40	+ 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
	41	+ C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
	42	+ F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
	43	+ 8F020301 0001
	44	+```
39	45
40	46	2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
41	47
...	...	@@ -56,76 +62,83 @@ In this example, we'll use the following settings:
56	62
57	63	1. Add your peer's public key
58	64
59		- foo#conf t
60		- Enter configuration commands, one per line. End with CNTL/Z.
61		- foo(config)#crypto key pubkey-chain rsa
62		- foo(config-pubkey-chain)#addressed-key 192.0.2.2
63		- foo(config-pubkey-key)#key-string
64		- Enter a public key as a hexidecimal number ....
65		-
66		- foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
67		- foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
68		- foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
69		- foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
70		- foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
71		- foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
72		- foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
73		- foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
74		- foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
75		- foo(config-pubkey)#D5020301 0001
76		- foo(config-pubkey)#quit
77		- foo(config-pubkey-key)#exit
78		- foo(config-pubkey-chain)#exit
	65	+```
	66	+foo#conf t
	67	+Enter configuration commands, one per line. End with CNTL/Z.
	68	+foo(config)#crypto key pubkey-chain rsa
	69	+foo(config-pubkey-chain)#addressed-key 192.0.2.2
	70	+foo(config-pubkey-key)#key-string
	71	+Enter a public key as a hexidecimal number ....
	72	+
	73	+foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
	74	+foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
	75	+foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
	76	+foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
	77	+foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
	78	+foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
	79	+foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
	80	+foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
	81	+foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
	82	+foo(config-pubkey)#D5020301 0001
	83	+foo(config-pubkey)#quit
	84	+foo(config-pubkey-key)#exit
	85	+foo(config-pubkey-chain)#exit
	86	+```
79	87
80	88	2. Configure an ISAKMP policy
81	89
82		- foo(config)#crypto isakmp policy 10
83		- foo(config-isakmp)#encryption aes
84		- foo(config-isakmp)#hash sha
85		- foo(config-isakmp)#group 5
86		- foo(config-isakmp)#lifetime 28800
87		- foo(config-isakmp)#authentication rsa-sig
88		- foo(config-isakmp)#exit
	90	+```
	91	+foo(config)#crypto isakmp policy 10
	92	+foo(config-isakmp)#encryption aes
	93	+foo(config-isakmp)#hash sha
	94	+foo(config-isakmp)#group 5
	95	+foo(config-isakmp)#lifetime 28800
	96	+foo(config-isakmp)#authentication rsa-sig
	97	+foo(config-isakmp)#exit
	98	+```
89	99
90	100	3. All done! Configure the phase 2 parameters as you otherwise would.
91	101
92	102	## Full GRE/IPsec example
93		- crypto key pubkey-chain rsa
94		- addressed-key 192.0.2.2
95		- address 192.0.2.2
96		- key-string
97		- 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
98		- 00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
99		- 33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
100		- FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
101		- 065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
102		- 0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
103		- F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
104		- F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
105		- E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
106		- D5020301 0001
107		- quit
108		- !
109		- crypto isakmp policy 10
110		- encr aes
111		- group 5
112		- lifetime 28800
113		- !
114		- crypto ipsec transform-set tset esp-aes esp-sha-hmac
115		- mode transport
116		- !
117		- crypto ipsec profile FOO
118		- set transform-set tset
119		- set pfs group5
120		- !
121		- interface Tunnel0
122		- ip address 10.1.2.0 255.255.255.254
123		- ip mtu 1400
124		- tunnel source 192.0.2.1
125		- tunnel destination 192.0.2.2
126		- tunnel protection ipsec profile FOO
127		- !
128		- interface FastEthernet0/0
129		- description WAN
130		- ip address 192.0.2.1 255.255.255.0
131		- duplex full
	103	+
	104	+```
	105	+crypto key pubkey-chain rsa
	106	+ addressed-key 192.0.2.2
	107	+ address 192.0.2.2
	108	+ key-string
	109	+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
	110	+ 00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
	111	+ 33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
	112	+ FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
	113	+ 065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
	114	+ 0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
	115	+ F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
	116	+ F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
	117	+ E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
	118	+ D5020301 0001
	119	+ quit
	120	+ !
	121	+ crypto isakmp policy 10
	122	+ encr aes
	123	+ group 5
	124	+ lifetime 28800
	125	+ !
	126	+ crypto ipsec transform-set tset esp-aes esp-sha-hmac
	127	+ mode transport
	128	+ !
	129	+ crypto ipsec profile FOO
	130	+ set transform-set tset
	131	+ set pfs group5
	132	+ !
	133	+ interface Tunnel0
	134	+ ip address 10.1.2.0 255.255.255.254
	135	+ ip mtu 1400
	136	+ tunnel source 192.0.2.1
	137	+ tunnel destination 192.0.2.2
	138	+ tunnel protection ipsec profile FOO
	139	+ !
	140	+ interface FastEthernet0/0
	141	+ description WAN
	142	+ ip address 192.0.2.1 255.255.255.0
	143	+ duplex full
	144	+```

howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md

...	...	@@ -21,17 +21,17 @@ Change the direction on 5.6.7.8.
21	21
22	22	## Load the IPsec security policy into the IPsec security policy database
23	23	Load the policy with the setkey command.
24		-```
	24	+```sh
25	25	setkey -f /etc/ipsec-tools.conf
26	26	```
27	27	Afterward check the policy database with:
28		-```
	28	+```sh
29	29	setkey -DP
30	30	```
31	31
32	32	## Configure the racoon daemon
33	33	An example /etc/racoon/racoon.conf.
34		-```
	34	+```conf
35	35	path pre_shared_key "/etc/racoon/psk.txt";
36	36	path certificate "/etc/racoon/certs";
37	37	log info;

howto/IPsecWithPublicKeys/OpenBSDExample.md

...	...	@@ -34,32 +34,40 @@ Next, add the right flow parameters to [`/etc/ipsec.conf`](http://man.openbsd.or
34	34
35	35	The configuration file should look like this:
36	36
37		- mymachine = "3.4.5.6"
38		- mypeer = "1.3.3.7"
39		- ike esp transport proto gre from $mymachine to $mypeer \
40		- main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
41		- quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
	37	+```conf
	38	+mymachine = "3.4.5.6"
	39	+mypeer = "1.3.3.7"
	40	+ike esp transport proto gre from $mymachine to $mypeer \
	41	+ main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
	42	+ quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
	43	+```
42	44
43	45	Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once the connection is established, the IPSec flows can be listed with `ipsecctl -sa`:
44	46
45		- # ipsecctl -sa
46		- FLOWS:
47		- flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
48		- flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
	47	+```
	48	+# ipsecctl -sa
	49	+FLOWS:
	50	+flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
	51	+flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
49	52
50		- SAD:
51		- esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
52		- esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
	53	+SAD:
	54	+esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
	55	+esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
	56	+```
53	57
54	58	# GRE Setup
55	59	Next, we will set up the GRE device. The [gre(4)](http://man.openbsd.org/gre.4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
56	60
57		- # ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
58		- # ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
59		- # ifconfig gre0 inet6 eui64
	61	+```sh
	62	+# ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
	63	+# ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
	64	+# ifconfig gre0 inet6 eui64
	65	+```
60	66
61	67	These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd.org/hostname.if.5), .i.e.
62	68
63		- tunnel 3.4.5.6 1.3.3.7
64		- inet 10.20.30.0 10.20.30.1
65		- inet6 eui64
	69	+```conf
	70	+tunnel 3.4.5.6 1.3.3.7
	71	+inet 10.20.30.0 10.20.30.1
	72	+inet6 eui64
	73	+```

howto/IPsecWithPublicKeys/RacoonExample.md

...	...	@@ -17,7 +17,7 @@ I'd probably go with 4096 bits.
17	17
18	18
19	19	in your racoon.conf:
20		-```
	20	+```conf
21	21	path certificate "/etc/racoon/keys";
22	22
23	23	listen {
...	...	@@ -38,6 +38,6 @@ remote 192.168.255.2 {
38	38	}
39	39	```
40	40
41		-## Se also
	41	+## See also
42	42
43	43	[Debian specific configuration](/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian)

howto/IPsecWithPublicKeys/RouterOSExample.md

...	...	@@ -2,34 +2,40 @@
2	2	## Setup
3	3	### Generate an RSA keypair
4	4
5		- [admin@mtk1] > /ip ipsec key
6		- [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
7		- For key bigger than 1024bit this may take a while..
8		- [admin@mtk1] /ip ipsec key> print
9		- Flags: P - private-key, R - rsa
10		- # NAME KEY-SIZE
11		- 0 PR mykey 4096-bit
	5	+```
	6	+[admin@mtk1] > /ip ipsec key
	7	+[admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
	8	+For key bigger than 1024bit this may take a while..
	9	+[admin@mtk1] /ip ipsec key> print
	10	+Flags: P - private-key, R - rsa
	11	+ # NAME KEY-SIZE
	12	+ 0 PR mykey 4096-bit
	13	+```
12	14
13	15	## Exchange public keys with your peer
14	16	1. Export the public key to a file.
15	17
16		- [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
	18	+```
	19	+[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
17	20
18		- [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
19		- # NAME TYPE SIZE CREATION-TIME
20		- 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
	21	+[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
	22	+ # NAME TYPE SIZE CREATION-TIME
	23	+ 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
	24	+```
21	25
22	26	2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
23	27
24		- -----BEGIN PUBLIC KEY-----
25		- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
26		- TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
27		- +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
28		- 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
29		- 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
30		- QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
31		- 8QIDAQAB
32		- -----END PUBLIC KEY-----
	28	+```
	29	+-----BEGIN PUBLIC KEY-----
	30	+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
	31	+TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
	32	++xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
	33	+23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
	34	+4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
	35	+QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
	36	+8QIDAQAB
	37	+-----END PUBLIC KEY-----
	38	+```
33	39
34	40	3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
35	41
...	...	@@ -50,43 +56,49 @@ In this example, we'll use the following settings:
50	56
51	57	1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
52	58
53		- [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
54		- passphrase:
	59	+```
	60	+[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
	61	+passphrase:
55	62
56		- [admin@mtk1] /ip ipsec key> print
57		- Flags: P - private-key, R - rsa
58		- # NAME KEY-SIZE
59		- 0 PR mykey 4096-bit
60		- 1 R peer-key 4096-bit
	63	+[admin@mtk1] /ip ipsec key> print
	64	+Flags: P - private-key, R - rsa
	65	+ # NAME KEY-SIZE
	66	+ 0 PR mykey 4096-bit
	67	+ 1 R peer-key 4096-bit
	68	+```
61	69
62	70	2. Configure your peer definition to use the public key
63	71
64		- [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
65		- [admin@mtk1] /ip ipsec peer> print
66		- Flags: X - disabled
67		- 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
68		- auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
69		- exchange-mode=main send-initial-contact=yes nat-traversal=no
70		- proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
71		- dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
72		- dpd-maximum-failures=5
	72	+```
	73	+[admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
	74	+[admin@mtk1] /ip ipsec peer> print
	75	+Flags: X - disabled
	76	+ 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
	77	+ auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
	78	+ exchange-mode=main send-initial-contact=yes nat-traversal=no
	79	+ proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
	80	+ dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
	81	+ dpd-maximum-failures=5
	82	+```
73	83
74	84	3. All done! Configure the phase 2 parameters as you otherwise would.
75	85
76	86	## Full GRE/IPsec example
77		- # jul/20/2014 13:00:04 by RouterOS 6.15
78		- # software id = HBCA-0B2J
79		- #
80		- /interface gre
81		- add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
82		- remote-address=192.0.2.2
83		- /ip address
84		- add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
85		- /ip ipsec proposal
86		- set [ find default=yes ] lifetime=1h pfs-group=modp1536
87		- /ip ipsec peer
88		- add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
89		- lifetime=8h local-address=192.0.2.1 remote-key=peer-key
90		- /ip ipsec policy
91		- add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
92		- sa-src-address=192.0.2.1 src-address=192.0.2.1/32
	87	+```
	88	+# jul/20/2014 13:00:04 by RouterOS 6.15
	89	+# software id = HBCA-0B2J
	90	+#
	91	+/interface gre
	92	+add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
	93	+ remote-address=192.0.2.2
	94	+/ip address
	95	+add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
	96	+/ip ipsec proposal
	97	+set [ find default=yes ] lifetime=1h pfs-group=modp1536
	98	+/ip ipsec peer
	99	+add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
	100	+ lifetime=8h local-address=192.0.2.1 remote-key=peer-key
	101	+/ip ipsec policy
	102	+add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
	103	+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32
	104	+```

howto/IPsecWithPublicKeys/VyOSExample.md

...	...	@@ -2,22 +2,26 @@
2	2	## Setup
3	3	### Generate an RSA keypair
4	4
5		- ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
6		- Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
	5	+```sh
	6	+ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
	7	+Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
7	8
8		- Your new local RSA key has been generated
9		- The public portion of the key is:
	9	+Your new local RSA key has been generated
	10	+The public portion of the key is:
10	11
11		- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	12	+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	13	+```
12	14
13	15	### Exchange public keys with your peer
14	16	1. Display the public key. Send the key data portion to your peer.
15	17
16		- ubnt@ubnt:~$ show vpn ike rsa-keys
	18	+```sh
	19	+ubnt@ubnt:~$ show vpn ike rsa-keys
17	20
18		- Local public key (/config/ipsec.d/rsa-keys/localhost.key):
	21	+Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19	22
20		- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	23	+0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	24	+```
21	25
22	26	2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
23	27
...	...	@@ -38,98 +42,107 @@ In this example, we'll use the following settings:
38	42
39	43	1. Add your peer's public key
40	44
41		- vyos@vyos:~$ configure
42		- [edit]
43		- vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
	45	+```sh
	46	+vyos@vyos:~$ configure
	47	+[edit]
	48	+vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
	49	+```
44	50
45	51	2. Configure an ISAKMP policy
46	52
47		- [edit]
48		- vyos@vyos# edit vpn ipsec ike-group FOO
49		- [edit vpn ipsec ike-group FOO]
50		- vyos@vyos# set lifetime 28800
51		- [edit vpn ipsec ike-group FOO]
52		- vyos@vyos# set proposal 1 encryption aes128
53		- [edit vpn ipsec ike-group FOO]
54		- vyos@vyos# set proposal 1 hash sha1
55		- [edit vpn ipsec ike-group FOO]
56		- vyos@vyos# set proposal 1 dh-group 5
57		- [edit vpn ipsec ike-group FOO]
58		- vyos@vyos# commit
	53	+```sh
	54	+[edit]
	55	+vyos@vyos# edit vpn ipsec ike-group FOO
	56	+[edit vpn ipsec ike-group FOO]
	57	+vyos@vyos# set lifetime 28800
	58	+[edit vpn ipsec ike-group FOO]
	59	+vyos@vyos# set proposal 1 encryption aes128
	60	+[edit vpn ipsec ike-group FOO]
	61	+vyos@vyos# set proposal 1 hash sha1
	62	+[edit vpn ipsec ike-group FOO]
	63	+vyos@vyos# set proposal 1 dh-group 5
	64	+[edit vpn ipsec ike-group FOO]
	65	+vyos@vyos# commit
	66	+```
59	67
60	68	3. Set your peer definition to use the public key
61	69
62		- [edit vpn ipsec ike-group FOO]
63		- vyos@vyos# up
64		- [edit vpn ipsec]
65		- vyos@vyos# edit site-to-site peer 192.0.2.2
66		- [edit vpn ipsec site-to-site peer 192.0.2.2]
67		- vyos@vyos# set authentication mode rsa
68		- [edit vpn ipsec site-to-site peer 192.0.2.2]
69		- vyos@vyos# set authentication rsa-key-name my-peer
	70	+```sh
	71	+[edit vpn ipsec ike-group FOO]
	72	+vyos@vyos# up
	73	+[edit vpn ipsec]
	74	+vyos@vyos# edit site-to-site peer 192.0.2.2
	75	+[edit vpn ipsec site-to-site peer 192.0.2.2]
	76	+vyos@vyos# set authentication mode rsa
	77	+[edit vpn ipsec site-to-site peer 192.0.2.2]
	78	+vyos@vyos# set authentication rsa-key-name my-peer
	79	+```
70	80
71	81	4. All done! Configure the phase 2 parameters as you otherwise would.
72	82
73	83	## Full GRE/IPsec example
74		- interfaces {
75		- ethernet eth0 {
76		- address 192.0.2.1/30
77		- description WAN
78		- duplex auto
79		- speed auto
80		- }
81		- tunnel tun0 {
82		- address 10.1.2.0/31
83		- encapsulation gre
84		- local-ip 192.0.2.1
85		- mtu 1400
86		- multicast disable
87		- remote-ip 192.0.2.2
88		- ttl 255
89		- }
	84	+
	85	+```conf
	86	+interfaces {
	87	+ ethernet eth0 {
	88	+ address 192.0.2.1/30
	89	+ description WAN
	90	+ duplex auto
	91	+ speed auto
90	92	}
91		- vpn {
92		- ipsec {
93		- esp-group BAR {
94		- compression disable
95		- lifetime 3600
96		- mode transport
97		- pfs dh-group5
98		- proposal 1 {
99		- encryption aes128
100		- hash sha1
101		- }
102		- }
103		- ike-group FOO {
104		- lifetime 28800
105		- proposal 1 {
106		- dh-group 5
107		- encryption aes128
108		- hash sha1
109		- }
	93	+ tunnel tun0 {
	94	+ address 10.1.2.0/31
	95	+ encapsulation gre
	96	+ local-ip 192.0.2.1
	97	+ mtu 1400
	98	+ multicast disable
	99	+ remote-ip 192.0.2.2
	100	+ ttl 255
	101	+ }
	102	+}
	103	+vpn {
	104	+ ipsec {
	105	+ esp-group BAR {
	106	+ compression disable
	107	+ lifetime 3600
	108	+ mode transport
	109	+ pfs dh-group5
	110	+ proposal 1 {
	111	+ encryption aes128
	112	+ hash sha1
110	113	}
111		- ipsec-interfaces {
112		- interface eth0
	114	+ }
	115	+ ike-group FOO {
	116	+ lifetime 28800
	117	+ proposal 1 {
	118	+ dh-group 5
	119	+ encryption aes128
	120	+ hash sha1
113	121	}
114		- site-to-site {
115		- peer 192.0.2.2 {
116		- authentication {
117		- mode rsa
118		- rsa-key-name my-peer
119		- }
120		- connection-type initiate
121		- default-esp-group BAR
122		- ike-group FOO
123		- local-ip 192.0.2.1
124		- tunnel 0 {
125		- protocol gre
126		- }
	122	+ }
	123	+ ipsec-interfaces {
	124	+ interface eth0
	125	+ }
	126	+ site-to-site {
	127	+ peer 192.0.2.2 {
	128	+ authentication {
	129	+ mode rsa
	130	+ rsa-key-name my-peer
	131	+ }
	132	+ connection-type initiate
	133	+ default-esp-group BAR
	134	+ ike-group FOO
	135	+ local-ip 192.0.2.1
	136	+ tunnel 0 {
	137	+ protocol gre
127	138	}
128	139	}
129	140	}
130		- rsa-keys {
131		- rsa-key-name my-peer {
132		- rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
133		- }
	141	+ }
	142	+ rsa-keys {
	143	+ rsa-key-name my-peer {
	144	+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
134	145	}
135	146	}
	147	+}
	148	+```

howto/IPsecWithPublicKeys/strongSwan4Example.md

...	...	@@ -2,29 +2,33 @@
2	2	## Setup
3	3	### Generate an RSA keypair
4	4
5		- root@debian:~# mkdir /etc/ipsec.d/public
6		- root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
7		- root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
8		- root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	5	+```sh
	6	+root@debian:~# mkdir /etc/ipsec.d/public
	7	+root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
	8	+root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
	9	+root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	10	+```
9	11
10	12	### Exchange public keys with your peer
11	13	1. Display the public key. Send the key data to your peer.
12	14
13		- root@debian:~# more /etc/ipsec.d/public/mykey.pub
14		- -----BEGIN PUBLIC KEY-----
15		- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
16		- nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
17		- 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
18		- +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
19		- fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
20		- 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
21		- tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
22		- JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
23		- MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
24		- rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
25		- PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
26		- ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
27		- -----END PUBLIC KEY-----
	15	+```sh
	16	+root@debian:~# more /etc/ipsec.d/public/mykey.pub
	17	+-----BEGIN PUBLIC KEY-----
	18	+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
	19	+nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
	20	+9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
	21	++Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
	22	+fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
	23	+7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
	24	+tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
	25	+JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
	26	+MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
	27	+rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
	28	+PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
	29	+ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
	30	+-----END PUBLIC KEY-----
	31	+```
28	32
29	33	2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
30	34
...	...	@@ -47,58 +51,63 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted private keys, but requires
47	51
48	52	1. Configure a connection policy in ipsec.conf for your peer. The `leftrsasigkey` attribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, and `rightrsasigkey` is your peer's key.
49	53
50		- root@debian:~# cat << EOF >> /etc/ipsec.conf
51		- conn MYPEER
52		- # peer IPs
53		- left=192.0.2.1
54		- right=192.0.2.2
55		- # phase 1 parameters
56		- ike=aes128-sha1-modp1536!
57		- ikelifetime=28800s
58		- # authentication
59		- authby=pubkey
60		- leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
61		- rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
62		- EOF
	54	+```sh
	55	+root@debian:~# cat << EOF >> /etc/ipsec.conf
	56	+conn MYPEER
	57	+ # peer IPs
	58	+ left=192.0.2.1
	59	+ right=192.0.2.2
	60	+ # phase 1 parameters
	61	+ ike=aes128-sha1-modp1536!
	62	+ ikelifetime=28800s
	63	+ # authentication
	64	+ authby=pubkey
	65	+ leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
	66	+ rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
	67	+EOF
	68	+```
63	69
64	70	2. All done! Configure the phase 2 parameters as you otherwise would.
65	71
66	72	## Full GRE/IPsec example
67		- root@debian:~# ip addr show dev gre1
68		- 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
69		- link/gre 192.0.2.1 peer 192.0.2.2
70		- inet 10.1.2.0/31 scope global gre1
71		- valid_lft forever preferred_lft forever
72		- inet6 fe80::200:5efe:6825:1c22/64 scope link
73		- valid_lft forever preferred_lft forever
74		- root@debian:~# more /etc/ipsec.conf
75		- # ipsec.conf - strongSwan IPsec configuration file
76		-
77		- config setup
78		-
79		- conn %default
80		- keyexchange=ikev1
81		- dpdaction=restart
82		-
83		- conn MYPEER
84		- # peer IPs
85		- left=192.0.2.1
86		- right=192.0.2.2
87		- # phase 1 parameters
88		- ike=aes128-sha1-modp1536!
89		- ikelifetime=28800s
90		- # authentication
91		- authby=pubkey
92		- leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
93		- rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
94		- # phase 2 parameters
95		- esp=aes128-sha1!
96		- pfs=yes
97		- pfsgroup=modp1536
98		- lifetime=3600s
99		- type=transport
100		- leftprotoport=gre
101		- rightprotoport=gre
102		- # startup
103		- auto=route
104		- keyingtries=%forever
	73	+
	74	+```sh
	75	+root@debian:~# ip addr show dev gre1
	76	+11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
	77	+ link/gre 192.0.2.1 peer 192.0.2.2
	78	+ inet 10.1.2.0/31 scope global gre1
	79	+ valid_lft forever preferred_lft forever
	80	+ inet6 fe80::200:5efe:6825:1c22/64 scope link
	81	+ valid_lft forever preferred_lft forever
	82	+root@debian:~# more /etc/ipsec.conf
	83	+# ipsec.conf - strongSwan IPsec configuration file
	84	+
	85	+config setup
	86	+
	87	+conn %default
	88	+ keyexchange=ikev1
	89	+ dpdaction=restart
	90	+
	91	+conn MYPEER
	92	+ # peer IPs
	93	+ left=192.0.2.1
	94	+ right=192.0.2.2
	95	+ # phase 1 parameters
	96	+ ike=aes128-sha1-modp1536!
	97	+ ikelifetime=28800s
	98	+ # authentication
	99	+ authby=pubkey
	100	+ leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
	101	+ rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
	102	+ # phase 2 parameters
	103	+ esp=aes128-sha1!
	104	+ pfs=yes
	105	+ pfsgroup=modp1536
	106	+ lifetime=3600s
	107	+ type=transport
	108	+ leftprotoport=gre
	109	+ rightprotoport=gre
	110	+ # startup
	111	+ auto=route
	112	+ keyingtries=%forever
	113	+```

howto/IPsecWithPublicKeys/strongSwan5Example.md

...	...	@@ -6,29 +6,33 @@ For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ in
6	6	Don't forget to disable selinux :)
7	7	### Generate an RSA keypair
8	8
9		- root@debian:~# mkdir /etc/ipsec.d/public
10		- root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
11		- root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
12		- root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	9	+```sh
	10	+root@debian:~# mkdir /etc/ipsec.d/public
	11	+root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
	12	+root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
	13	+root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	14	+```
13	15
14	16	### Exchange public keys with your peer
15	17	1. Display the public key. Send the key data to your peer.
16	18
17		- root@debian:~# more /etc/ipsec.d/public/mykey.pem
18		- -----BEGIN PUBLIC KEY-----
19		- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
20		- nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
21		- 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
22		- +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
23		- fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
24		- 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
25		- tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
26		- JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
27		- MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
28		- rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
29		- PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
30		- ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
31		- -----END PUBLIC KEY-----
	19	+```sh
	20	+root@debian:~# more /etc/ipsec.d/public/mykey.pem
	21	+-----BEGIN PUBLIC KEY-----
	22	+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
	23	+nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
	24	+9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
	25	++Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
	26	+fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
	27	+7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
	28	+tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
	29	+JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
	30	+MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
	31	+rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
	32	+PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
	33	+ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
	34	+-----END PUBLIC KEY-----
	35	+```
32	36
33	37	2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
34	38
...	...	@@ -49,82 +53,90 @@ In this example, we'll use the following settings:
49	53
50	54	1. Add your peer's public key
51	55
52		- root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
53		- -----BEGIN PUBLIC KEY-----
54		- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
55		- IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
56		- 9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
57		- jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
58		- EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
59		- pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
60		- KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
61		- AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
62		- U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
63		- YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
64		- HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
65		- mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
66		- -----END PUBLIC KEY-----
67		- EOF
	56	+```sh
	57	+root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
	58	+-----BEGIN PUBLIC KEY-----
	59	+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
	60	+IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
	61	+9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
	62	+jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
	63	+EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
	64	+pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
	65	+KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
	66	+AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
	67	+U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
	68	+YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
	69	+HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
	70	+mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
	71	+-----END PUBLIC KEY-----
	72	+EOF
	73	+```
68	74
69	75	2. Configure a connection policy in ipsec.conf for your peer
70	76
71		- root@debian:~# cat << EOF >> /etc/ipsec.conf
72		- conn MYPEER
73		- # peer IPs
74		- left=192.0.2.1
75		- right=192.0.2.2
76		- # phase 1 parameters
77		- ike=aes128-sha1-modp1536!
78		- ikelifetime=28800s
79		- # authentication
80		- authby=pubkey
81		- leftrsasigkey=/etc/ipsec.d/public/mykey.pem
82		- rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
83		- EOF
	77	+```sh
	78	+root@debian:~# cat << EOF >> /etc/ipsec.conf
	79	+conn MYPEER
	80	+ # peer IPs
	81	+ left=192.0.2.1
	82	+ right=192.0.2.2
	83	+ # phase 1 parameters
	84	+ ike=aes128-sha1-modp1536!
	85	+ ikelifetime=28800s
	86	+ # authentication
	87	+ authby=pubkey
	88	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pem
	89	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
	90	+EOF
	91	+```
84	92
85	93	3. All done! Configure the phase 2 parameters as you otherwise would.
86	94
87	95	## Full GRE/IPsec example
88		- root@debian:~# ip addr show dev gre1
89		- 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
90		- link/gre 192.0.2.1 peer 192.0.2.2
91		- inet 10.1.2.0/31 scope global gre1
92		- valid_lft forever preferred_lft forever
93		- inet6 fe80::200:5efe:6825:1c22/64 scope link
94		- valid_lft forever preferred_lft forever
95		- root@debian:~# more /etc/ipsec.conf
96		- # ipsec.conf - strongSwan IPsec configuration file
97		-
98		- config setup
99		-
100		- conn %default
101		- keyexchange=ikev1
102		- dpdaction=restart
103		-
104		- conn MYPEER
105		- # peer IPs
106		- left=192.0.2.1
107		- right=192.0.2.2
108		- # phase 1 parameters
109		- ike=aes128-sha1-modp1536!
110		- ikelifetime=28800s
111		- # authentication
112		- authby=pubkey
113		- leftrsasigkey=/etc/ipsec.d/public/mykey.pem
114		- rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
115		- # phase 2 parameters
116		- esp=aes128-sha1-modp1536!
117		- lifetime=3600s
118		- type=transport
119		- leftprotoport=gre
120		- rightprotoport=gre
121		- # startup
122		- auto=route
123		- keyingtries=%forever
	96	+```sh
	97	+root@debian:~# ip addr show dev gre1
	98	+11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
	99	+ link/gre 192.0.2.1 peer 192.0.2.2
	100	+ inet 10.1.2.0/31 scope global gre1
	101	+ valid_lft forever preferred_lft forever
	102	+ inet6 fe80::200:5efe:6825:1c22/64 scope link
	103	+ valid_lft forever preferred_lft forever
	104	+root@debian:~# more /etc/ipsec.conf
	105	+# ipsec.conf - strongSwan IPsec configuration file
	106	+
	107	+config setup
	108	+
	109	+conn %default
	110	+ keyexchange=ikev1
	111	+ dpdaction=restart
	112	+
	113	+conn MYPEER
	114	+ # peer IPs
	115	+ left=192.0.2.1
	116	+ right=192.0.2.2
	117	+ # phase 1 parameters
	118	+ ike=aes128-sha1-modp1536!
	119	+ ikelifetime=28800s
	120	+ # authentication
	121	+ authby=pubkey
	122	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pem
	123	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
	124	+ # phase 2 parameters
	125	+ esp=aes128-sha1-modp1536!
	126	+ lifetime=3600s
	127	+ type=transport
	128	+ leftprotoport=gre
	129	+ rightprotoport=gre
	130	+ # startup
	131	+ auto=route
	132	+ keyingtries=%forever
	133	+```
124	134
125	135	If your peer is using a Cisco router and is behind NAT, then you might need to add the following option:
126	136
127		- rightid=NATIP
	137	+```
	138	+rightid=NATIP
	139	+```
128	140
129	141	# See also
130	142	* [Network settings](/howto/networksettings)

howto/IPv6-Multicast.md

...	...	@@ -28,7 +28,7 @@ rfc8815 deprecated pim-sm, please take a look at the new multicast page about pi
28	28
29	29	* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
30	30
31		- ```
	31	+ ```conf
32	32	# /etc/network/interfaces.d/pim6sd
33	33	auto pim-router-id
34	34	iface pim-router-id inet manual
...	...	@@ -86,7 +86,7 @@ You can now switch into this test network namespace via "ip netns exec /bin/bash
86	86
87	87	### Creating a test multicast listener
88	88
89		-```
	89	+```sh
90	90	$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
91	91	```
92	92
...	...	@@ -94,7 +94,7 @@ $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::1
94	94
95	95	First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
96	96
97		-```
	97	+```sh
98	98	$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
99	99	$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
100	100	```
...	...	@@ -145,18 +145,18 @@ However you can usually just announce and use both RFC3306 and RFC3956 based mul
145	145	#### Bootstrap Router
146	146
147	147	If you want to be participate as a bootstrap router candidate, please read up on how PIM works first. If you join with a bootstrap router candidate add it here below with contact information and join #dn42-multicast on HackInt:
148		-* <BSR-ADDR1> - [email protected], foo@HackInt
149		-* <BSR-ADDR2> - ...
	148	+* \<BSR-ADDR1> - [email protected], foo@HackInt
	149	+* \<BSR-ADDR2> - ...
150	150
151	151	#### Shared multicast addresses
152	152
153	153	Next to personal multicast prefixes generated by network prefix (RFC3306 or RFC3956) there can also be multicast addresses not owned by a specific AS. In general any one can just set up a multicast sender or listener for those. However to work, they need a reliable RP for coordination.
154	154
155	155	If you want to offer an RP candidate for a shared multicast address, please read up on how PIM works first. If you join with an RP candidate for a shared multicast address add it here below with contact information and join #dn42-multicast on HackInt:
156		-* <multicast-address1>/128:
157		- - <RP-address1> - [email protected], foo@HackInt
158		- - <RP-address2> - [email protected], bar@HackInt
159		-* <multicast-address2>/128:
	156	+* \<multicast-address1>/128:
	157	+ - \<RP-address1> - [email protected], foo@HackInt
	158	+ - \<RP-address2> - [email protected], bar@HackInt
	159	+* \<multicast-address2>/128:
160	160	- ...
161	161
162	162	## Questions?

howto/IPv6.md

...	...	@@ -65,7 +65,7 @@ Enter NPT. Address your services using a reserved private block, and map that bl
65	65	For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
66	66
67	67	In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
68		-```
	68	+```sh
69	69	ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
70	70	ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
71	71	```

howto/OpenBGPD.md

...	...	@@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
16	16
17	17	## local host
18	18	Information such as ASN, router ID and allocated networks are required:
19		-```
	19	+```conf
20	20	# macros
21	21	ASN="4242421234"
22	22
...	...	@@ -31,7 +31,7 @@ prefix-set mynetworks {
31	31
32	32	These can be used in subsequent filter rules.
33	33	The local peer's announcements is then defined as follows:
34		-```
	34	+```conf
35	35	# Generate routes for the networks our ASN will originate.
36	36	# The communities (read 'tags') are later used to match on what
37	37	# is announced to EBGP neighbors
...	...	@@ -41,7 +41,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
41	41	## neighbors
42	42	For each neighbor its ASN and transfer ULA is required.
43	43	An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
44		-```
	44	+```conf
45	45	# peer A, transport over IPSec/GRE
46	46	$A_local="fd00:12:34:A::1"
47	47	$A_remote="fd00:12:34:A::2"
...	...	@@ -61,7 +61,7 @@ The filter rules are evaluated in sequential order, form first to last.
61	61	The last matching allow or deny rule decides what action is taken.
62	62
63	63	Start off with basic protection and sanity rules:
64		-```
	64	+```conf
65	65	# deny more-specifics of our own originated prefixes
66	66	deny quick from ebgp prefix-set mynetworks or-longer
67	67
...	...	@@ -72,7 +72,7 @@ deny quick from any max-as-len 8
72	72	`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
73	73
74	74	Allow own announcements:
75		-```
	75	+```conf
76	76	# Outbound EBGP: only allow self originated networks to ebgp peers
77	77	# Don't leak any routes from upstream or peering sessions. This is done
78	78	# by checking for routes that are tagged with the large-community $ASN:1:1
...	...	@@ -80,7 +80,7 @@ allow to ebgp prefix-set mynetworks large-community $ASN:1:1
80	80	```
81	81
82	82	Allow all remaining UPDATES based on Origin Validation States:
83		-```
	83	+```conf
84	84	# enforce ROA
85	85	allow from ebgp ovs valid
86	86	```
...	...	@@ -89,7 +89,7 @@ Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `
89	89
90	90	### path attributes
91	91	Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
92		-```
	92	+```conf
93	93	# Scrub normal and large communities relevant to our ASN from EBGP neighbors
94	94	# https://tools.ietf.org/html/rfc7454#section-11
95	95	match from ebgp set { large-community delete $ASN:: }
...	...	@@ -123,7 +123,7 @@ roa-set {
123	123	```
124	124
125	125	Include it in `/etc/bgpd.conf`:
126		-```
	126	+```conf
127	127	# defines roat-set, see _rpki-client crontab
128	128	include "/etc/dn42.roa-set"
129	129	```

howto/OpenWRT.md

...	...	@@ -28,9 +28,11 @@ This is needed so that OpenWRT is aware of the new interfaces (for firewall and
28	28
29	29	In `/etc/config/network`, add entries for each dn42 interface:
30	30
31		- config interface dn42peer1
32		- option ifname tun-peer1
33		- option proto none
	31	+```conf
	32	+config interface dn42peer1
	33	+ option ifname tun-peer1
	34	+ option proto none
	35	+```
34	36
35	37	## Firewall
36	38
...	...	@@ -43,28 +45,36 @@ Everything is done in `/etc/config/firewall`.
43	45
44	46	### Zone declaration
45	47
46		- config zone
47		- option name dn42
48		- option network 'dn42peer1 dn42peer2 dn42peer3'
49		- option input REJECT
50		- option output ACCEPT
51		- option forward REJECT
	48	+```conf
	49	+config zone
	50	+ option name dn42
	51	+ option network 'dn42peer1 dn42peer2 dn42peer3'
	52	+ option input REJECT
	53	+ option output ACCEPT
	54	+ option forward REJECT
	55	+```
52	56
53	57	If you need to NAT your home network into dn42, you probably just need to add:
54	58
55		- option masq 1
	59	+```conf
	60	+option masq 1
	61	+```
56	62
57	63	### dn42 ↔ LAN forwarding
58	64
59		- config forwarding
60		- option src lan
61		- option dest dn42
	65	+```conf
	66	+config forwarding
	67	+ option src lan
	68	+ option dest dn42
	69	+```
62	70
63	71	If you're confident enough, you can also forward dn42 into your LAN:
64	72
65		- config forwarding
66		- option src dn42
67		- option dest lan
	73	+```conf
	74	+config forwarding
	75	+ option src dn42
	76	+ option dest lan
	77	+```
68	78
69	79	Or you can forward only certain ports, to certain hosts, etc (standard `config rule` stuff)
70	80
...	...	@@ -72,7 +82,9 @@ Or you can forward only certain ports, to certain hosts, etc (standard `config r
72	82
73	83	This is more tricky. In theory, all you have to do is to set
74	84
75		- option forward ACCEPT
	85	+```conf
	86	+option forward ACCEPT
	87	+```
76	88
77	89	in the definition of the zone. However, due to a bug in Attitude Adjustment (see <https://dev.openwrt.org/ticket/12945>), this will allow forwarding everything everywhere.
78	90

howto/Quagga.md

...	...	@@ -6,16 +6,20 @@ Quagga is probably one of the oldest software router around. It still works, of
6	6
7	7	Use this in your `zebra.conf`:
8	8
9		- route-map RM_SET_SRC permit 10
10		- set src 172.22.XX.XX
11		- ip protocol bgp route-map RM_SET_SRC
	9	+```conf
	10	+route-map RM_SET_SRC permit 10
	11	+ set src 172.22.XX.XX
	12	+ip protocol bgp route-map RM_SET_SRC
	13	+```
12	14
13	15	Unfortunately, this is not possible with IPv6...
14	16
15	17	## Important bgp commands
16	18	To connect to bgpd use:
17	19
18		- $ vtysh
	20	+```sh
	21	+$ vtysh
	22	+```
19	23
20	24	Which provides an interactive interface.
21	25	In this interface '?' can be used to list the available commands or subcommands.
...	...	@@ -23,82 +27,94 @@ In this interface '?' can be used to list the available commands or subcommands.
23	27	## Configure Quagga
24	28	a minimal config would look like this:
25	29
26		- vtysh> configure terminal
27		- vtysh(config)> router bgp <your-asn>
28		- vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
29		- vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
30		- vtysh(config-router)> exit
31		- vtysh(config)> exit
	30	+```sh
	31	+vtysh> configure terminal
	32	+vtysh(config)> router bgp <your-asn>
	33	+vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
	34	+vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
	35	+vtysh(config-router)> exit
	36	+vtysh(config)> exit
	37	+```
32	38
33	39	### IPv6
34	40	for IPv6 do something like
35	41
36		- vtysh> configure terminal
37		- vtysh(config)> router bgp <your-asn>
38		- vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
39		- vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
40		- vtysh(config-router)> no neighbor <neighbor-ip> activate
41		- vtysh(config-router)> address-family ipv6
42		- vtysh(config-router-af)> neighbor <neighbor-ip> activate
43		- vtysh(config-router-af)> exit
44		- vtysh(config-router)> exit
45		- vtysh(config)> exit
	42	+```sh
	43	+vtysh> configure terminal
	44	+vtysh(config)> router bgp <your-asn>
	45	+vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
	46	+vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
	47	+vtysh(config-router)> no neighbor <neighbor-ip> activate
	48	+vtysh(config-router)> address-family ipv6
	49	+vtysh(config-router-af)> neighbor <neighbor-ip> activate
	50	+vtysh(config-router-af)> exit
	51	+vtysh(config-router)> exit
	52	+vtysh(config)> exit
	53	+```
46	54
47	55	### peer groups, prefix lists and such
48	56	If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
49	57
50	58	Define a peer group:
51	59
52		- vtysh(config-router)> neighbor <peer-group-name> peer-group
	60	+```sh
	61	+vtysh(config-router)> neighbor <peer-group-name> peer-group
	62	+```
53	63
54	64	Apply to a neighbor:
55	65
56		- vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
	66	+```sh
	67	+vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
	68	+```
57	69
58	70	Apply a prefix list for incoming prefixes to your peer group:
59	71
60		- vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
	72	+```sh
	73	+vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
	74	+```
61	75
62	76	#### Example filter list
63	77
64		- ip prefix-list vpn-in description BGP IPv4 import filter
65		- !old network:
66		- ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
67		- !new dn42 allocation:
68		- ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
69		-
70		- ! Anycast /32s for Whois and DNS:
71		- ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
72		- ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
73		-
74		- ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
75		- ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
76		- ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
77		- ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
78		- ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
79		- ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
80		- ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
81		- ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
82		- ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
83		- ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
84		- ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
85		- ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
86		- ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
87		- ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
88		- ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
89		- ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
90		- ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
91		- ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
92		- ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
93		- ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
94		- ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
95		- ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
96		-
97		- ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
98		- ipv6 prefix-list vpn-in seq 15 deny any
	78	+```sh
	79	+ip prefix-list vpn-in description BGP IPv4 import filter
	80	+!old network:
	81	+ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
	82	+!new dn42 allocation:
	83	+ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
	84	+
	85	+! Anycast /32s for Whois and DNS:
	86	+ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
	87	+ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
	88	+
	89	+ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
	90	+ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
	91	+ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
	92	+ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
	93	+ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
	94	+ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
	95	+ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
	96	+ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
	97	+ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
	98	+ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
	99	+ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
	100	+ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
	101	+ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
	102	+ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
	103	+ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
	104	+ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
	105	+ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
	106	+ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
	107	+ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
	108	+ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
	109	+ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
	110	+ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
	111	+
	112	+ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
	113	+ipv6 prefix-list vpn-in seq 15 deny any
	114	+```
99	115
100	116	#### Example filter list script
101		-```
	117	+```sh
102	118	#!/bin/bash
103	119
104	120	vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list

howto/ROA-slash-RPKI.md

...	...	@@ -32,11 +32,12 @@ You can find a hosted example of dn42regsrv at <https://explorer.burble.com/>
32	32	Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv).
33	33
34	34	You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
35		-
36		- git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
37		- cd contrib/docker
38		- ./build.sh
39		- docker-compose up -d
	35	+```sh
	36	+git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
	37	+cd contrib/docker
	38	+./build.sh
	39	+docker-compose up -d
	40	+```
40	41
41	42	Documentation for the api endpoints can be found here: <https://git.burble.com/burble.dn42/dn42regsrv/src/master/API.md>
42	43
...	...	@@ -48,7 +49,9 @@ burble kindly provides ready-to-use files for gortr here:
48	49
49	50	You can use these to simply run gortr via docker:
50	51
51		- docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
	52	+```sh
	53	+docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
	54	+```
52	55
53	56	### rtrtr
54	57
...	...	@@ -56,21 +59,25 @@ rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-J
56	59
57	60	NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file:
58	61
59		- docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
	62	+```sh
	63	+docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
	64	+```
60	65
61	66	This is a working configuration file for dn42. Maybe change the listen addresses:
62	67
63		- log_level = "debug"
64		- log_target = "stderr"
65		- http-listen = []
66		- [units.dn42-json]
67		- type = "json"
68		- uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
69		- refresh = 600
70		- [targets.dn42-rtr]
71		- type = "rtr"
72		- listen = ["0.0.0.0:323", "[::]:323"]
73		- unit = "dn42-json"
	68	+```conf
	69	+log_level = "debug"
	70	+log_target = "stderr"
	71	+http-listen = []
	72	+[units.dn42-json]
	73	+type = "json"
	74	+uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
	75	+refresh = 600
	76	+[targets.dn42-rtr]
	77	+type = "rtr"
	78	+listen = ["0.0.0.0:323", "[::]:323"]
	79	+unit = "dn42-json"
	80	+```
74	81
75	82	For more information cosult the official documentation: <https://rtrtr.docs.nlnetlabs.nl/en/stable/>
76	83

howto/Registry-Authentication.md

...	...	@@ -50,7 +50,7 @@ There are three options for doing this. but you only need to do one of these
50	50	### `auth` attribute format, when your public key is in gitea or a public keyserver
51	51
52	52	- Use the following `auth` attribute in your `mntner` object:
53		-```
	53	+```conf
54	54	auth: pgp-fingerprint <fingerprint>
55	55	```
56	56	Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
...	...	@@ -62,7 +62,7 @@ Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
62	62	Tip: look at the existing key-cert objects for examples of how to add your public key
63	63
64	64	- In this case the `auth` attribute must refer to the new key-cert object so use the following in your `mntner` object:
65		-```
	65	+```conf
66	66	auth: PGPKEY-<short fingerprint>
67	67	```
68	68	Where `<short fingerprint>` is the last 8 digits from your key fingerprint.
...	...	@@ -76,7 +76,7 @@ Where `<short fingerprint>` is the last 8 digits from your key fingerprint.
76	76	- Use `git commit -S` to commit and sign your change.
77	77
78	78	- If you have already committed your change without signing it, you can sign the existing commit using:
79		-```
	79	+```sh
80	80	git commit --amend --no-edit -S
81	81	```
82	82	If you had already pushed your change to gitea, you must also do a force push (`git push --force`) to update the remote copy.
...	...	@@ -105,17 +105,17 @@ If you cannot get the above to work you may also:
105	105	### `auth` attribute format when using an ssh key
106	106
107	107	The generic format for authentication using an SSH key is as follows:
108		-```
	108	+```conf
109	109	auth: ssh-<keytype> <pubkey>
110	110	```
111	111
112	112	Common examples:
113	113
114		-```
	114	+```conf
115	115	auth: ssh-ed25519 <pubkey>
116	116	```
117	117
118		-```
	118	+```conf
119	119	auth: ssh-rsa <pubkey>
120	120	```
121	121
...	...	@@ -131,13 +131,13 @@ Brief instructions are below, however there are also more detailed guides availa
131	131
132	132	- Set your git signature format to be SSH
133	133
134		-```
	134	+```sh
135	135	git config --global gpg.format ssh
136	136	```
137	137
138	138	- Tell git which SSH key to use
139	139
140		-```
	140	+```sh
141	141	git config --global user.signingKey '<ssh public key>'
142	142	```
143	143
...	...	@@ -167,13 +167,13 @@ The registry includes a script that uses ssh-keygen signatures to sign your chan
167	167
168	168	#### How to sign
169	169
170		-```
	170	+```sh
171	171	./sign-my-commit --ssh --key <path to your SSH private key> --push <MNTNER>
172	172	```
173	173
174	174	e.g.
175	175
176		-```
	176	+```sh
177	177	./sign-my-commit --ssh --key /home/foo/.ssh/id_ed25519 --push FOO-MNT
178	178	```
179	179
...	...	@@ -181,7 +181,7 @@ e.g.
181	181
182	182	The script can also verify your signature:
183	183
184		-```
	184	+```sh
185	185	./sign-my-commit --ssh --verify <MNTNER>
186	186	```
187	187
...	...	@@ -231,7 +231,7 @@ Please try and upgrade your ssh-keygen version and use the generic ssh-keygen me
231	231	### Authentication with an SSH RSA key
232	232
233	233	- Use the following `auth` attribute in your `mntner` object:
234		-```
	234	+```conf
235	235	auth: ssh-rsa <pubkey>
236	236	```
237	237	Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
...	...	@@ -269,7 +269,7 @@ openssl pkeyutl \
269	269	### Authentication with an SSH ecdsa key
270	270
271	271	- Use the following `auth` attribute in your `mntner` object:
272		-```
	272	+```conf
273	273	auth: ecdsa-sha2-nistp256 <pubkey>
274	274	```
275	275	Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.

howto/Static-routes-on-Windows.md

...	...	@@ -1,6 +1,6 @@
1	1	Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
2	2
3		-```
	3	+```sh
4	4	@echo off
5	5	REM fill in YOUR network information
6	6	REM right click and RUN AS ADMIN

howto/lglass.md

...	...	@@ -1,6 +1,8 @@
1	1	lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:
2	2
3		- $ git clone git://github.com/fritz0705/lglass.git
	3	+```sh
	4	+$ git clone git://github.com/fritz0705/lglass.git
	5	+```
4	6
5	7	## Links
6	8	- [Fritz Gihub repo](https://github.com/fritz0705/lglass)
...	...	@@ -10,27 +12,31 @@ lglass is a Python software package designed for Internet Registries like the DN
10	12
11	13	lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:
12	14
13		- $ ./bin/lglass-whoisd
	15	+```sh
	16	+$ ./bin/lglass-whoisd
	17	+```
14	18
15	19	without the configfile:
16	20
17		- $ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
18		-.
19		-
20		- usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
21		- [--cidr] [--no-cidr] [--inverse] [--no-inverse]
22		-
23		- optional arguments:
24		- -h, --help show this help message and exit
25		- -4 Listen on IPv4
26		- -6 Listen on IPv6
27		- --host HOST, -H HOST Listen on host
28		- --port PORT, -p PORT Listen on port
29		- --cidr, -c Perform CIDR matching on queries
30		- --no-cidr Do not perform CIDR matching on queries
31		- --inverse, -i Perform inverse matching on queries
32		- --no-inverse Do not perform inverse matching on queries
33		-
	21	+```sh
	22	+$ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
	23	+```
	24	+
	25	+```
	26	+usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
	27	+ [--cidr] [--no-cidr] [--inverse] [--no-inverse]
	28	+
	29	+optional arguments:
	30	+ -h, --help show this help message and exit
	31	+ -4 Listen on IPv4
	32	+ -6 Listen on IPv6
	33	+ --host HOST, -H HOST Listen on host
	34	+ --port PORT, -p PORT Listen on port
	35	+ --cidr, -c Perform CIDR matching on queries
	36	+ --no-cidr Do not perform CIDR matching on queries
	37	+ --inverse, -i Perform inverse matching on queries
	38	+ --no-inverse Do not perform inverse matching on queries
	39	+```
34	40
35	41	## Generate zone files
36	42
...	...	@@ -38,32 +44,42 @@ lglass also provides a script to generate zone files from the registry. It's nam
38	44
39	45	To generate DNS zones:
40	46
41		- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
	47	+```sh
	48	+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
	49	+```
42	50
43	51	To generate IPv4 rDNS zones:
44	52
45		- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
	53	+```sh
	54	+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
	55	+```
46	56
47	57	To generate IPv6 rDNS zones:
48		-
49		- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
	58	+```sh
	59	+$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
	60	+```
50	61
51	62	## Reformat RPSL files
52	63
53	64	You can also reformat RPSL files using lglass by using the lglass.rpsl module:
54	65
55		- $ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
	66	+```sh
	67	+$ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
	68	+```
56	69
57	70	lglass.rpsl also supports in-place operation:
58	71
59		- $ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
	72	+```sh
	73	+$ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
	74	+```
60	75
61	76	This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.
62	77	Simple web interface
63	78
64	79	lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:
65		-
66		- $ ./bin/lglass-web
	80	+```sh
	81	+$ ./bin/lglass-web
	82	+```
67	83
68	84	Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.
69	85

howto/networksettings.md

...	...	@@ -13,22 +13,22 @@ That is why `rp_filter` needs to be disabled.
13	13
14	14	Note using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
15	15
16		-```
	16	+```sh
17	17	sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
18	18	```
19	19
20	20	Check that its really disabled:
21		-```
	21	+```sh
22	22	sysctl -a \| grep rp_filter
23	23	```
24	24
25	25	Also the following options must be set.
26		-```
	26	+```sh
27	27	$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
28	28	```
29	29
30	30	Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
31		-```
	31	+```sh
32	32	$ sysctl -a \| grep forwarding
33	33	```
34	34

howto/nixos.md

...	...	@@ -15,7 +15,7 @@ If you still want to give it a try, here you'll find some inspiration from my se
15	15	Defining the container environment is the base part of the setup. Beginning with network setup, Private Network disables the passthrough of Host Interfaces into the container and adds a bridged Interface to the host default Interface (e.g. eth0). The localAddress is the container side address and the hostAddress is the one the Host gets. Inside the ```container.<name>.config```, you can basicly import the same nix expression as from the Host and don't need to add some special container parts.
16	16
17	17	```nix
18		- containers.dn42 = {
	18	+containers.dn42 = {
19	19	hostAddress = "192.168.254.1"; # Transfer Network
20	20	hostAddress6 = "2001:db08::42"; # Transfer Network
21	21	localAddress = "116.203.1.5";
...	...	@@ -24,22 +24,22 @@ Defining the container environment is the base part of the setup. Beginning with
24	24	autoStart = true;
25	25
26	26	config = { config, pkgs, ... }: {
27		- imports = [
28		- ./peers # Folder with a config for every Peer
29		- ./dns.nix # Bind with the litschi.dn42 zone deligated
30		- ./bird.nix # Bird config for BGP Routing
31		- ./networking.nix # Static Network configuration (with firewall)
32		- ./nginx.nix # nginx config for litschi.dn42
33		- ];
34		- environment.systemPackages = with pkgs; [
35		- # Network debug tools
36		- dnsutils
37		- mtr
38		- tcpdump
39		- wireguard-tools
40		- ];
	27	+ imports = [
	28	+ ./peers # Folder with a config for every Peer
	29	+ ./dns.nix # Bind with the litschi.dn42 zone deligated
	30	+ ./bird.nix # Bird config for BGP Routing
	31	+ ./networking.nix # Static Network configuration (with firewall)
	32	+ ./nginx.nix # nginx config for litschi.dn42
	33	+ ];
	34	+ environment.systemPackages = with pkgs; [
	35	+ # Network debug tools
	36	+ dnsutils
	37	+ mtr
	38	+ tcpdump
	39	+ wireguard-tools
	40	+ ];
41	41	}
42		- }
	42	+}
43	43	```
44	44
45	45	In theory the container should now be starting and you can get shell access with ```sudo nixos-container root-login <name> ```.
...	...	@@ -47,20 +47,20 @@ In theory the container should now be starting and you can get shell access wit
47	47	I mounted some host paths into the container for dns zone files and static homepage since the container is the only one providing .dn42 webservers.
48	48
49	49	```nix
50		- containers.dn42 = {
	50	+containers.dn42 = {
51	51	bindMounts = {
52		- "/var/www/dn42" = {
53		- hostPath = "/var/www/dn42";
54		- isReadOnly = true;
55		- mountPoint = "/var/www/dn42";
56		- };
57		- "/var/dns/dn42" = {
58		- hostPath = "/var/dns/dn42";
59		- isReadOnly = true;
60		- mountPoint = "/var/dns";
61		- };
	52	+ "/var/www/dn42" = {
	53	+ hostPath = "/var/www/dn42";
	54	+ isReadOnly = true;
	55	+ mountPoint = "/var/www/dn42";
	56	+ };
	57	+ "/var/dns/dn42" = {
	58	+ hostPath = "/var/dns/dn42";
	59	+ isReadOnly = true;
	60	+ mountPoint = "/var/dns";
	61	+ };
62	62	};
63		- }
	63	+}
64	64	```
65	65
66	66	### Network Setup
...	...	@@ -68,28 +68,28 @@ I mounted some host paths into the container for dns zone files and static homep
68	68	As mentioned above, I got a spare public IPv4 Address, but by adding it as ```localAddress```, the container Part is configured static enough. But to forward traffic between Intferfaces ```/proc/sys/net/``` should configured
69	69
70	70	```nix
71		- boot.kernel.sysctl = {
	71	+boot.kernel.sysctl = {
72	72	"net.ipv4.ip_forward" = 1;
73	73	"net.ipv6.conf.all.forwarding" = 1;
74		- };
	74	+};
75	75	```
76	76	This allows our firewall to configure forwarding between peers and other tunnels. What is allowed to be forwarded can be configured in the firewall. Ferm has only few NixOS Options, but is pretty basic. Its configured with the ```services.ferm.config``` options, that contains just a string. Within this string there's standard plain ferm config. Example config is attached below.
77	77	If the dn42 address is not bound at any other Interface, you need to add it to the lo Interface to use it as source IP when routing via peers with dedicated transfer net.
78	78	```nix
79		- networking.interfaces.lo = {
80		- ipv4.addresses = [
	79	+networking.interfaces.lo = {
	80	+ ipv4.addresses = [
81	81	{
82		- address = "172.23.73.65";
83		- prefixLength = 32;
	82	+ address = "172.23.73.65";
	83	+ prefixLength = 32;
84	84	}
85		- ];
86		- ipv6.addresses = [
	85	+ ];
	86	+ ipv6.addresses = [
87	87	{
88		- address = "fd67:24bd:a1ea::1";
89		- prefixLength = 128;
	88	+ address = "fd67:24bd:a1ea::1";
	89	+ prefixLength = 128;
90	90	}
91		- ];
92		- };
	91	+ ];
	92	+};
93	93	```
94	94
95	95	#### Ferm example
...	...	@@ -100,40 +100,40 @@ services.ferm = {
100	100	domain ip table filter chain INPUT proto icmp ACCEPT;
101	101	domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
102	102	domain (ip ip6) table filter {
103		- chain INPUT {
104		- policy DROP;
105		- interface lo ACCEPT;
106		- interface intern-+ ACCEPT;
107		- # website
108		- proto tcp dport (http https) ACCEPT;
109		- # wireguard
110		- proto udp dport ( <Wireguard Ports> ) ACCEPT;
111		- # bgp
112		- proto tcp dport (179) ACCEPT;
113		- # dns
114		- proto (udp tcp) dport domain ACCEPT;
115		- mod state state (INVALID) DROP;
116		- mod state state (ESTABLISHED RELATED) ACCEPT;
117		- }
118		- chain OUTPUT {
119		- policy ACCEPT;
120		- }
121		- chain FORWARD {
122		- policy DROP;
123		- # allow intern routing and dn42 forwarding
124		- interface dn42-+ outerface dn42-+ ACCEPT;
125		- interface intern-+ outerface intern-+ ACCEPT;
126		- interface intern-+ outerface dn42-+ ACCEPT;
127		- # but dn42 -> intern only with execptions
128		- interface dn42-+ outerface intern-+ {
129		- proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
130		- proto tcp dport (ssh) ACCEPT;
131		- mod state state (ESTABLISHED) ACCEPT;
	103	+ chain INPUT {
	104	+ policy DROP;
	105	+ interface lo ACCEPT;
	106	+ interface intern-+ ACCEPT;
	107	+ # website
	108	+ proto tcp dport (http https) ACCEPT;
	109	+ # wireguard
	110	+ proto udp dport ( <Wireguard Ports> ) ACCEPT;
	111	+ # bgp
	112	+ proto tcp dport (179) ACCEPT;
	113	+ # dns
	114	+ proto (udp tcp) dport domain ACCEPT;
	115	+ mod state state (INVALID) DROP;
	116	+ mod state state (ESTABLISHED RELATED) ACCEPT;
	117	+ }
	118	+ chain OUTPUT {
	119	+ policy ACCEPT;
	120	+ }
	121	+ chain FORWARD {
	122	+ policy DROP;
	123	+ # allow intern routing and dn42 forwarding
	124	+ interface dn42-+ outerface dn42-+ ACCEPT;
	125	+ interface intern-+ outerface intern-+ ACCEPT;
	126	+ interface intern-+ outerface dn42-+ ACCEPT;
	127	+ # but dn42 -> intern only with execptions
	128	+ interface dn42-+ outerface intern-+ {
	129	+ proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
	130	+ proto tcp dport (ssh) ACCEPT;
	131	+ mod state state (ESTABLISHED) ACCEPT;
	132	+ }
132	133	}
133		- }
134	134	}
135	135	'';
136		- };
	136	+};
137	137	```
138	138
139	139	### Peering with wireguard
...	...	@@ -144,23 +144,23 @@ A sample wireguard config may look like this:
144	144	```nix
145	145	{config, pkgs, ...}:
146	146	{
147		- networking.wireguard.interfaces.dn42-peer = {
148		- privateKey = "";
149		- allowedIPsAsRoutes = false;
150		- listenPort = 42420;
151		-
152		- peers = [
153		- {
154		- publicKey = "";
155		- allowedIPs = [ "0.0.0.0/0" "::/0" ];
156		- endpoint = "42.42.42.42:42421";
157		- }
158		- ];
159		- postSetup = ''
160		- ${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
161		- ${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
162		- '';
163		- };
	147	+ networking.wireguard.interfaces.dn42-peer = {
	148	+ privateKey = "";
	149	+ allowedIPsAsRoutes = false;
	150	+ listenPort = 42420;
	151	+
	152	+ peers = [
	153	+ {
	154	+ publicKey = "";
	155	+ allowedIPs = [ "0.0.0.0/0" "::/0" ];
	156	+ endpoint = "42.42.42.42:42421";
	157	+ }
	158	+ ];
	159	+ postSetup = ''
	160	+ ${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
	161	+ ${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
	162	+ '';
	163	+ };
164	164	}
165	165	```
166	166
...	...	@@ -176,41 +176,40 @@ Like ferm, Bird2 is configured by ```services.bird2.config``` containing a strin
176	176	Sample example to update ROA's :
177	177	```nix
178	178	{ pkgs, lib, ... }:
179		-let
180		- script = pkgs.writeShellScriptBin "update-roa" ''
	179	+let script = pkgs.writeShellScriptBin "update-roa" ''
181	180	mkdir -p /etc/bird/
182	181	${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
183	182	${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
184	183	${pkgs.bird2}/bin/birdc c
185	184	${pkgs.bird2}/bin/birdc reload in all
186		- '';
	185	+ '';
187	186	in
188	187	{
189		- systemd.timers.dn42-roa = {
190		- description = "Trigger a ROA table update";
	188	+ systemd.timers.dn42-roa = {
	189	+ description = "Trigger a ROA table update";
	190	+
	191	+ timerConfig = {
	192	+ OnBootSec = "5m";
	193	+ OnUnitInactiveSec = "1h";
	194	+ Unit = "dn42-roa.service";
	195	+ };
191	196
192		- timerConfig = {
193		- OnBootSec = "5m";
194		- OnUnitInactiveSec = "1h";
195		- Unit = "dn42-roa.service";
	197	+ wantedBy = [ "timers.target" ];
	198	+ before = [ "bird.service" ];
196	199	};
197	200
198		- wantedBy = [ "timers.target" ];
199		- before = [ "bird.service" ];
200		- };
201		-
202		- systemd.services = {
203		- dn42-roa = {
204		- after = [ "network.target" ];
205		- description = "DN42 ROA Updated";
206		- unitConfig = {
207		- Type = "one-shot";
208		- };
209		- serviceConfig = {
210		- ExecStart = "${script}/bin/update-roa";
211		- };
	201	+ systemd.services = {
	202	+ dn42-roa = {
	203	+ after = [ "network.target" ];
	204	+ description = "DN42 ROA Updated";
	205	+ unitConfig = {
	206	+ Type = "one-shot";
	207	+ };
	208	+ serviceConfig = {
	209	+ ExecStart = "${script}/bin/update-roa";
	210	+ };
	211	+ };
212	212	};
213		- };
214	213	}
215	214	```
216	215
...	...	@@ -221,14 +220,14 @@ There is now (thanks to [Tchekda](https://github.com/NixOS/nixpkgs/pull/153481))
221	220	```nix
222	221	bird-lg = {
223	222	proxy = {
224		- enable = true;
225		- allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
	223	+ enable = true;
	224	+ allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
226	225	};
227	226	frontend = {
228		- enable = true;
229		- netSpecificMode = "dn42";
230		- servers = [ "node1" "node2" ];
231		- domain = "domain.dn42";
	227	+ enable = true;
	228	+ netSpecificMode = "dn42";
	229	+ servers = [ "node1" "node2" ];
	230	+ domain = "domain.dn42";
232	231	};
233	232	};
234	233	```

howto/openvpn.md

...	...	@@ -10,7 +10,7 @@
10	10	* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
11	11	* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
12	12
13		-```
	13	+```conf
14	14	#/etc/openvpn/<PEER_NAME>
15	15	proto <PROTO>
16	16	mode p2p
...	...	@@ -39,7 +39,7 @@ secret /etc/openvpn/<PEER_NAME>.key
39	39
40	40	then create a new key and share it with your peer
41	41
42		-```
	42	+```sh
43	43	$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
44	44	```
45	45
...	...	@@ -47,7 +47,7 @@ $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
47	47
48	48	## peer with fixed ip
49	49
50		-```
	50	+```conf
51	51	proto <PROTO>
52	52	mode p2p
53	53	dev-type tun
...	...	@@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
72	72	* `<REMOTE_HOST>` is the ip address of your peer
73	73	* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
74	74
75		-```
	75	+```conf
76	76	proto <PROTO>
77	77	mode p2p
78	78	remote <REMOTE_HOST>
...	...	@@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
99	99
100	100	Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
101	101
102		-```
	102	+```conf
103	103	mode server
104	104	tls-server
105	105
...	...	@@ -152,7 +152,7 @@ push "route 172.22.0.0 255.254.0.0"
152	152
153	153	Change `<SERVER>` and `<PORT>`.
154	154
155		-```
	155	+```conf
156	156	client
157	157
158	158	ca ca.crt

howto/systemd-networkd-configuration-example.md

...	...	@@ -5,7 +5,7 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
5	5	# Configuration
6	6
7	7	## loopback device (lo.network)
8		-```
	8	+```conf
9	9	[Match]
10	10	Name=lo
11	11
...	...	@@ -14,7 +14,7 @@ Address=fdff:b02d:2ef7::2/128
14	14	```
15	15
16	16	## wireguard netdev (dn42p1.netdev)
17		-```
	17	+```conf
18	18	[NetDev]
19	19	Name = dn42p1
20	20	Kind = wireguard
...	...	@@ -31,7 +31,7 @@ AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
31	31	```
32	32
33	33	## wireguard network (dn42p1.network)
34		-```
	34	+```conf
35	35	[Match]
36	36	Name = dn42p1
37	37

howto/tinc.md

...	...	@@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
10	10
11	11	Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
12	12
13		-```
	13	+```conf
14	14	Interface = dn42_yourpeer
15	15	Name = your_host
16	16	# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
...	...	@@ -26,7 +26,7 @@ Tinc requires to add manually ip addresses and routes to the tap/tun interfaces.
26	26	Example `/etc/tinc/dn42_yourpeer/tinc-up`:
27	27
28	28	Linux/iproute2
29		-```
	29	+```sh
30	30	#!/bin/sh
31	31
32	32	# set the interface up
...	...	@@ -44,13 +44,13 @@ For authentication tinc uses public key authentication instead of certificates o
44	44	For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
45	45	is required. To generate a public/private key pair use:
46	46
47		-```
	47	+```sh
48	48	$ tincd -K
49	49	```
50	50
51	51	Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
52	52
53		-```
	53	+```conf
54	54	# address/port are optional, in case they're missing you only expect connections from that host
55	55	Address = <fqdn/ip_addr>
56	56	Port = <port\|655>
...	...	@@ -74,19 +74,19 @@ Installation:
74	74	* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
75	75
76	76	Set up a new tinc network
77		-```
	77	+```sh
78	78	# tinc -n dn42_yourpeer init dn42_yourself
79	79	```
80	80
81	81	Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
82		-```
	82	+```sh
83	83	$ tinc invite yourpeer
84	84	<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
85	85	```
86	86
87	87	On the other node you can join by using:
88	88
89		-```
	89	+```sh
90	90	$ tinc join <invitation-url>
91	91	```
92	92

howto/wireguard.md

...	...	@@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
9	9
10	10	First generate on each peer public and private keys.
11	11
12		-```
	12	+```sh
13	13	$ wg genkey \| tee privatekey \| wg pubkey > publickey
14	14	```
15	15
16	16	## Configuration
17	17
18		-```
	18	+```conf
19	19	# tunnel.conf
20	20	[Interface]
21	21	PrivateKey = <private_key>
...	...	@@ -38,7 +38,7 @@ AllowedIPs = 0.0.0.0/0,::/0
38	38	Wireguard comes with its own interface type.
39	39	It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
40	40
41		-```
	41	+```sh
42	42	$ ip link add dev <interface_name> type wireguard
43	43	$ wg setconf <interface_name> tunnel.conf
44	44	# both side pick a different link-local ipv6 address
...	...	@@ -54,7 +54,7 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
54	54
55	55	## Testing
56	56
57		-```
	57	+```sh
58	58	ping fe80::<your_peers_suffix>%<interface_name>
59	59	```
60	60
...	...	@@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
94	94
95	95	An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
96	96
97		-```
	97	+```conf
98	98	[Interface]
99	99	PrivateKey = <your private key>
100	100	Address = <your link-local address, if any>
...	...	@@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
114	114	Example configuration for systemd-networkd.
115	115
116	116	peer.netdev
117		-```text
	117	+```conf
118	118	[NetDev]
119	119	Name=<ifname>
120	120	Kind=wireguard
...	...	@@ -134,7 +134,7 @@ AllowedIPs=0.0.0.0/0
134	134	```
135	135
136	136	peer.network
137		-```text
	137	+```conf
138	138	[Match]
139	139	Name=<ifname>
140	140
...	...	@@ -172,6 +172,6 @@ Peer=<your peer's IPv4 address>/32
172	172	As wireguard are only resolving the hostname to IP only on start, dynamics DNS will stop working after a while without further configuration. The Following is a [script](https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh) from wireguard which will "re-resolve" the DNS and update the wireguard.
173	173
174	174	You can add cron entries to periodically "re-resolve" the DNS:
175		-```
	175	+```sh
176	176	* * * * * /path-to-the-script/reresolve-dns.sh
177	177	```

internal/Internal-Services.md

...	...	@@ -186,9 +186,9 @@ Providers of shell access:
186	186
187	187	\| Person \| Hostname \| Net \| Description \| Contact \|
188	188	\|:------------- \|:-------------------------------------- \|:---------------- \|:---------------- \|:------------- \|
189		-\| mc36 \| telnet test.nop.dn42 \| dn42 only \|looking glass \| - \|
190		-\| JerryXiao \| ssh [email protected] \| dn42 and icvpn \|looking glass \| - \|
191		-\| burble \| ssh <mntner>@shell.fr-rbx1.burble.dn42 <br/> ssh <mntner>@shell.ca-bhs2.burble.dn42 \| dn42 \|Full shell account\| See below \|
	189	+\| mc36 \| `telnet test.nop.dn42` \| dn42 only \|looking glass \| - \|
	190	+\| JerryXiao \| `ssh [email protected]` \| dn42 and icvpn \|looking glass \| - \|
	191	+\| burble \| `ssh <mntner>@shell.fr-rbx1.burble.dn42` <br/> `ssh <mntner>@shell.ca-bhs2.burble.dn42` \| dn42 \| Full shell account \| See below \|
192	192
193	193	### burble.dn42 shell access
194	194

internal/ShowAndTell.md

...	...	@@ -22,7 +22,7 @@ Document your mad setups in the categories below, with links to a full write up,
22	22	- Wired: Token Ring/X.25/ATM/ISDN etc (encapsulation allowed, but bonus points for real physical networks)
23	23	- Wireless: dn42 via microwave/laser/satellite
24	24
25		-... your stuff goes here
	25	+... your stuff goes here
26	26
27	27	## Things attached to dn42
28	28	- The thing must be pingable from dn42

services/Automatic-CA.md

...	...	@@ -55,7 +55,9 @@ Server certificates are signed for 45 days. To renew follow the steps above star
55	55
56	56	get the script here:
57	57
	58	+```sh
58	59	curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
	60	+```
59	61
60	62	available via git: [email protected]:dn42/ca-client
61	63
...	...	@@ -106,7 +108,7 @@ Environtment Options:
106	108
107	109	Generate the user key
108	110
109		-```
	111	+```sh
110	112	$ ./ca.dn42 user-gen XUU-MNT [email protected]
111	113	Generating a 2048 bit RSA private key
112	114	...............................+++
...	...	@@ -121,7 +123,7 @@ writing new private key to 'XUU-MNT.key'
121	123
122	124	### Sign the user key
123	125
124		-```
	126	+```sh
125	127	$ ./ca.dn42 user-sign XUU-MNT [email protected]
126	128	== USER CERT ==
127	129	C:XD
...	...	@@ -138,7 +140,7 @@ Verifying - Enter Export Password:
138	140
139	141	### Generate the server key
140	142
141		-```
	143	+```sh
142	144	$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT [email protected] DNS:ca.dn42
143	145
144	146	Generating a 2048 bit RSA private key
...	...	@@ -162,7 +164,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
162	164
163	165	### Sign the server key
164	166
165		-```
	167	+```sh
166	168	$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
167	169	== USER CERT ==
168	170	C:XD
...	...	@@ -190,13 +192,13 @@ Verifying - Enter Export Password: ****
190	192
191	193	The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
192	194
193		-```
	195	+```sh
194	196	0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
195	197	```
196	198
197	199	or with a systemd timer:
198	200
199		-```
	201	+```conf
200	202	# update-dn42-ca.timer
201	203	[Timer]
202	204	OnBootSec=1h
...	...	@@ -207,7 +209,7 @@ Persistent=yes
207	209	WantedBy=timers.target
208	210	```
209	211
210		-```
	212	+```conf
211	213	[Service]
212	214	Type=oneshot
213	215	WorkingDirectory=/etc/ssl/dn42
...	...	@@ -219,7 +221,7 @@ ExecStart=/usr/bin/nginx -s reload
219	221
220	222	### Revoke a certificate.
221	223
222		-```
	224	+```sh
223	225	$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
224	226	== USER CERT ==
225	227	C:XD

services/Certificate-Authority.md

...	...	@@ -101,11 +101,11 @@ C0IKqQ==
101	101	## Testing constraints
102	102
103	103	The name constraints can be verified for example by using openssl:
104		-```
105		- openssl x509 -in dn42.crt -text -noout
	104	+```sh
	105	+openssl x509 -in dn42.crt -text -noout
106	106	```
107	107	which will show among other things:
108		-```
	108	+```text
109	109	X509v3 Name Constraints:
110	110	Permitted:
111	111	DNS:.dn42

services/DNS.md

...	...	@@ -24,7 +24,7 @@ service and configure the other service as the secondary or backup nameserver.
24	24
25	25	Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
26	26
27		-```text
	27	+```conf
28	28	nameserver 172.20.0.53
29	29	nameserver 172.23.0.53
30	30	nameserver fd42:d42:d42:54::1
...	...	@@ -34,7 +34,7 @@ search dn42
34	34
35	35	Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
36	36
37		-```text
	37	+```conf
38	38	nameserver fd42:d42:d42:53::1
39	39	nameserver fd42:d42:d42:54::1
40	40	nameserver 172.23.0.53

services/Distributed-Wiki.md

...	...	@@ -39,9 +39,9 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
39	39	- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
40	40	- Setup cron for periodic pull/push jobs for the repo (simple example):
41	41
42		- + wiki-sync.sh:
	42	+ + wiki-sync.sh:
43	43
44		- ```sh
	44	+ ```sh
45	45	#!/bin/bash
46	46
47	47	WIKI_PATH=<repo path>
...	...	@@ -52,13 +52,13 @@ ${GIT} push
52	52	${GIT} pull
53	53
54	54	exit 0
55		- ```
	55	+ ```
56	56
57		- + Cron entry:
	57	+ + Cron entry:
58	58
59		- `/10 * * * <path>/wiki-sync.sh &> /dev/null`
	59	+ `/10 * * * <path>/wiki-sync.sh &> /dev/null`
60	60
61		- Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
	61	+ Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
62	62
63	63	## gollum
64	64
...	...	@@ -84,7 +84,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
84	84	- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [[email protected]](mailto:[email protected]):
85	85	- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
86	86
87		-```
	87	+```sh
88	88	./ca.dn42 tls-gen \
89	89	<AS>-<CC>(-<UID>).wiki.dn42 \
90	90	EXAMPLE-MNT \
...	...	@@ -109,13 +109,13 @@ A custom header `X-SiteID` identifies the site you're connecting to:
109	109
110	110	- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
111	111
112		- ```
	112	+ ```sh
113	113	openssl rsa -in wiki.key -outform der -pubout \| openssl dgst -sha256 -binary \| openssl enc -base64
114	114	```
115	115
116	116	- Configure Nginx to send the fingerprint in header (SSL block):
117	117
118		- ```
	118	+ ```conf
119	119	add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
120	120	```
121	121
...	...	@@ -137,7 +137,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
137	137
138	138	#### Config example
139	139
140		-```
	140	+```conf
141	141	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
142	142	ssl_session_cache shared:SSL:2m;
143	143
...	...	@@ -196,7 +196,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
196	196
197	197	#### Configuration
198	198
199		-```
	199	+```conf
200	200	# exabgp.conf
201	201
202	202	group gollum-watchdog {

services/IRC.md

...	...	@@ -3,7 +3,6 @@
3	3
4	4	We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 6697.
5	5
6		-
7	6	\| Network \| Hostname \| SSL \| IPv4 \| IPv6 \|
8	7	\|:--------\|:------------------------------------------\|:------ \|:-------------------------- \|:------------ \|
9	8	\| DN42 \| [irc.hackint.dn42](ircs://irc.hackint.dn42:6697) \| Yes \| 172.20.66.67 \| fd42:d42:d42:6667::1 \|
...	...	@@ -11,7 +10,7 @@ We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is
11	10
12	11
13	12	### via public internet
14		-\| Hostname \| Location \|
	13	+\| Hostname \| Location \|
15	14	\|:------------------------------------------------- \|:-------------------------- \|
16	15	\| [irc.hackint.org](ircs://irc.hackint.org:6697) \| Global \|
17	16	\| [irc.eu.hackint.org](ircs://irc.eu.hackint.org:6697) \| European \|

services/IXP-frnte.md

...	...	@@ -48,15 +48,19 @@ A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb
48	48
49	49	An example configuration for Debian based Linux distributions would be:
50	50
51		- iface ensXX inet6 static
52		- address fde0:93fa:7a0:2:0:fcde:3558:1/64
	51	+```sh
	52	+iface ensXX inet6 static
	53	+ address fde0:93fa:7a0:2:0:fcde:3558:1/64
	54	+```
53	55
54	56	Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:
55	57
56		- ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
57		- 1500 qdisc pfifo_fast state UP mode DEFAULT group
58		- default qlen 1000
59		- link/ether MAC brd ff:ff:ff:ff:ff:ff
	58	+```sh
	59	+ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
	60	+ 1500 qdisc pfifo_fast state UP mode DEFAULT group
	61	+ default qlen 1000
	62	+ link/ether MAC brd ff:ff:ff:ff:ff:ff
	63	+```
60	64
61	65	`MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.
62	66	Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.
...	...	@@ -71,17 +75,19 @@ You can now enter this configuration into your routing daemon and it will connec
71	75
72	76	An example configuration for bird2 would be the following:
73	77
74		- protocol bgp ixp_rs from dnpeers {
75		- neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
	78	+```conf
	79	+protocol bgp ixp_rs from dnpeers {
	80	+ neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
76	81
77		- enable extended messages on;
78		- direct;
79		- enforce first as off;
	82	+ enable extended messages on;
	83	+ direct;
	84	+ enforce first as off;
80	85
81		- ipv4 {
82		- extended next hop;
83		- };
84		- }
	86	+ ipv4 {
	87	+ extended next hop;
	88	+ };
	89	+}
	90	+```
85	91
86	92	What does this configuration do?
87	93
...	...	@@ -107,8 +113,8 @@ Furthermore, you can display different routes (in case of bird with `birdc show
107	113	One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:
108	114
109	115	* Burble's pingable
110		- * 172.20.129.5
111		- * fd42:4242:2601:ac05::1
	116	+ * `172.20.129.5`
	117	+ * `fd42:4242:2601:ac05::1`
112	118	* Bandura's pingable:
113		- * 172.22.149.224
114		- * fd04:234e:fc31::
	119	+ * `172.22.149.224`
	120	+ * `fd04:234e:fc31::`

services/Route-Collector.md

...	...	@@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
25	25
26	26	Example bird2 config:
27	27
28		-```text
	28	+```conf
29	29	protocol bgp ROUTE_COLLECTOR
30	30	{
31	31	local as *YOUR_ASN*;

services/Statistics.md

...	...	@@ -11,7 +11,7 @@ Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stat
11	11
12	12	#### collectd.conf
13	13
14		-```
	14	+```conf
15	15	LoadPlugin exec
16	16	<Plugin exec>
17	17	Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"

services/Whois.md

...	...	@@ -66,8 +66,10 @@ Mirrors are hosted at `asn.grmml.dn42` and `asn.lorkep.dn42`.
66	66
67	67	Example:
68	68
69		- $ dig +short AS4242420000.asn.dn42 TXT
70		- "4242420000 \| DN42 \| dn42 \| \| PYROPETER-AS PyroPeters AS"
	69	+```sh
	70	+$ dig +short AS4242420000.asn.dn42 TXT
	71	+"4242420000 \| DN42 \| dn42 \| \| PYROPETER-AS PyroPeters AS"
	72	+```
71	73
72	74	The Python code for generating the zone from the registry is available on the monotone repository.
73	75

services/dns/Configuration.md

...	...	@@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
27	27	If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
28	28	by adding the following to /etc/bind/named.conf.local
29	29
30		-```
	30	+```conf
31	31	zone "dn42" {
32	32	type forward;
33	33	forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
...	...	@@ -71,7 +71,7 @@ options {
71	71	Note: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
72	72
73	73	To disable DNSSEC validation only for certain TLDs include the following in the options section:
74		-```
	74	+```conf
75	75	options {
76	76	# [...]
77	77
...	...	@@ -93,7 +93,7 @@ options {
93	93
94	94	If you are running dnsmasq under openwrt, you just have to add
95	95
96		-```
	96	+```conf
97	97	config dnsmasq
98	98	option boguspriv '0'
99	99	option rebind_protection '1'
...	...	@@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
115	115
116	116	For normal dnsmasq use
117	117
118		-```
	118	+```conf
119	119	server=/dn42/172.20.0.53
120	120	server=/20.172.in-addr.arpa/172.20.0.53
121	121	server=/21.172.in-addr.arpa/172.20.0.53
...	...	@@ -129,7 +129,7 @@ in `dnsmasq.conf`.
129	129	## PowerDNS recursor
130	130	Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS).
131	131
132		-```
	132	+```conf
133	133	dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
134	134	forward-zones-recurse=dn42=172.20.0.53
135	135	forward-zones-recurse+=20.172.in-addr.arpa=172.20.0.53
...	...	@@ -143,7 +143,7 @@ forward-zones-recurse+=d.f.ip6.arpa=172.20.0.53
143	143	## MaraDNS
144	144	Put this in your mararc:
145	145
146		-```
	146	+```conf
147	147	ipv4_alias["dn42_root"] = "172.20.0.53"
148	148	root_servers["dn42."] = "dn42_root"
149	149	root_servers["20.172.in-addr.arpa."] = "dn42_root"
...	...	@@ -158,7 +158,7 @@ root_servers["10.in-addr.arpa."] = "dn42_root"
158	158	Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
159	159	point to a file with DNSKEY records for dn42.
160	160
161		-```
	161	+```conf
162	162	server:
163	163	local-zone: "20.172.in-addr.arpa." nodefault
164	164	local-zone: "21.172.in-addr.arpa." nodefault
...	...	@@ -205,11 +205,11 @@ forward-zone:
205	205
206	206	## JunOS (SRX 12.1X46)
207	207	Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
208		-```
	208	+```sh
209	209	restart named-service
210	210	```
211	211	Config (vlan.0 is presumed to be your LAN/Trust interface)
212		-```
	212	+```conf
213	213	system {
214	214	services {
215	215	dns {
...	...	@@ -289,17 +289,17 @@ All delegation servers have DNSSEC support and all record are signed, for more i
289	289	Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
290	290
291	291	This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
292		-```
	292	+```conf
293	293	dn42. 86400 IN DS 1 2 3 456
294	294	```
295	295
296	296	This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456
297		-```
	297	+```conf
298	298	20.172.in-addr.arpa. 86400 IN DS 1 2 3 456
299	299	```
300	300
301	301	This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456
302		-```
	302	+```conf
303	303	d.f.ip6.arpa. 86400 IN DS 1 2 3 456
304	304	```
305	305
...	...	@@ -323,7 +323,7 @@ d.f.ip6.arpa. 86400 IN DS 1 2 3 456
323	323
324	324
325	325	## Unbound
326		-```
	326	+```conf
327	327	trust-anchor-file: <path to key file>
328	328
329	329	server:

services/dns/Recursive-DNS-resolver.md

...	...	@@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/services/dns/
8	8
9	9	Configuration for `unbound.conf`
10	10
11		-```
	11	+```conf
12	12	server:
13	13	local-zone: "22.172.in-addr.arpa." nodefault
14	14	local-zone: "23.172.in-addr.arpa." nodefault
...	...	@@ -35,7 +35,7 @@ stub-zone:
35	35	### Unbound with root-hints
36	36	Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
37	37
38		-```
	38	+```conf
39	39	# /etc/unbound/unbound.conf.d/dn42.conf
40	40	server:
41	41	# DNSSEC validation will fail
...	...	@@ -55,7 +55,7 @@ remote-control:
55	55	```
56	56
57	57	The `/etc/unbound/dn42.hints` file:
58		-```
	58	+```conf
59	59	. NS a.root-servers.dn42.
60	60	a.root-servers.dn42. 3600000 A 172.22.177.6
61	61	. NS m.root-servers.dn42.