diff --git a/howto/new-machine-cymru.md b/howto/new-machine-cymru.md
index d337da9cb1f940f4964e93f0dfd90ad479d3de3a..2b4ad3421543014454799c992a382caa03e55f2b 100644
--- a/howto/new-machine-cymru.md
+++ b/howto/new-machine-cymru.md
@@ -344,8 +344,22 @@ roaming [IPsec](howto/ipsec) node) inside the cluster. Anarcat did so with such
 a config in the [Puppet](howto/puppet) `profile::ganeti::chi` class with a
 [configuration detailed in the IPsec docs](howto/ipsec#special-case-roaming-clients).
 
+The TL;DR: once configured, this is, client side:
+
+    ip a add 172.30.141.242/32 dev br0
+    ipsec restart
+
+On the server side (chi-node-01):
+
+    sysctl net.ipv4.ip_forward=1
+
+Those are the two settings that are not permanent and might not have
+survived a reboot or a network disconnect.
+
 Once that configuration is enabled, you should be able to ping inside
-`172.30.140.0/24`. 
+`172.30.140.0/24` from the client, for example:
+
+    ping 172.30.140.110
 
 Note that this configuration only works between `chi-node-13` and
 `chi-node-01`. The IP `172.30.140.101` (currently `eth2` on