man: add support for multiple addresses/ranges/subnets in ipsec.conf left=

1 files changed, 10 insertions, 3 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 61abc0a0e..b85172923 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -488,9 +488,8 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.BR left " = <ip address> | <fqdn> | " %any
-(required)
-the IP address of the left participant's public-network interface
+.BR left " = <ip address> | <fqdn> | " %any " | <range> | <subnet> "
+The IP address of the left participant's public-network interface
 or one of several magic values.
 The value
 .B %any
@@ -510,6 +509,14 @@ If
 .B %any
 is used for the remote endpoint it literally means any IP address.
 
+To limit the connection to a  specific range of hosts, a range (
+.BR 10.1.0.0-10.2.255.255
+) or a subnet (
+.BR 10.1.0.0/16
+) can be specified, and multiple addresses, ranges and subnets can be separated
+by commas. While one can freely combine these items, to initiate the connection
+at least one non-range/subnet is required.
+
 Please note that with the usage of wildcards multiple connection descriptions
 might match a given incoming connection attempt. The most specific description
 is used in that case.