New upstream version 5.6.1

1 files changed, 11 insertions, 5 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 69aeba8cb..774df75ac 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -631,6 +631,12 @@ constraint (without ike: prefix) will also apply to IKEv2 authentication, unless
 this is disabled in
 .BR strongswan.conf (5).
 
+To use or require RSASSA-PSS signatures use rsa/pss instead of rsa as in e.g.
+.BR ike:rsa/pss-sha256 .
+If \fBpubkey\fR or \fBrsa\fR constraints are configured RSASSA-PSS signatures
+will only be used/accepted if enabled in
+.BR strongswan.conf (5).
+
 For
 .BR eap ,
 an optional EAP method can be appended. Currently defined methods are
@@ -1031,8 +1037,8 @@ Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
 below.
 .TP
 .BR mark " = <value>[/<mask>]"
-sets an XFRM mark in the inbound and outbound
-IPsec SAs and policies. If the mask is missing then a default
+sets an XFRM mark on the inbound policy and outbound
+IPsec SA and policy. If the mask is missing then a default
 mask of
 .B 0xffffffff
 is assumed. The special value
@@ -1043,13 +1049,13 @@ make the mark unique for each IPsec SA direction (in/out) the special value
 may be used.
 .TP
 .BR mark_in " = <value>[/<mask>]"
-sets an XFRM mark in the inbound IPsec SA and
-policy. If the mask is missing then a default mask of
+sets an XFRM mark on the inbound policy (not on the SA). If the mask is missing
+then a default mask of
 .B 0xffffffff
 is assumed.
 .TP
 .BR mark_out " = <value>[/<mask>]"
-sets an XFRM mark in the outbound IPsec SA and
+sets an XFRM mark on the outbound IPsec SA and
 policy. If the mask is missing then a default mask of
 .B 0xffffffff
 is assumed.