From c37a5a867f734f2cbe114a2e5c3ef7667325c250 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 15 Feb 2021 11:40:48 -0500
Subject: [PATCH] add tldr for ipsec+cymru

---
 howto/new-machine-cymru.md | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/howto/new-machine-cymru.md b/howto/new-machine-cymru.md
index d337da9c..2b4ad342 100644
--- a/howto/new-machine-cymru.md
+++ b/howto/new-machine-cymru.md
@@ -344,8 +344,22 @@ roaming [IPsec](howto/ipsec) node) inside the cluster. Anarcat did so with such
 a config in the [Puppet](howto/puppet) `profile::ganeti::chi` class with a
 [configuration detailed in the IPsec docs](howto/ipsec#special-case-roaming-clients).
 
+The TL;DR: once configured, this is, client side:
+
+    ip a add 172.30.141.242/32 dev br0
+    ipsec restart
+
+On the server side (chi-node-01):
+
+    sysctl net.ipv4.ip_forward=1
+
+Those are the two settings that are not permanent and might not have
+survived a reboot or a network disconnect.
+
 Once that configuration is enabled, you should be able to ping inside
-`172.30.140.0/24`. 
+`172.30.140.0/24` from the client, for example:
+
+    ping 172.30.140.110
 
 Note that this configuration only works between `chi-node-13` and
 `chi-node-01`. The IP `172.30.140.101` (currently `eth2` on
-- 
GitLab