diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 491318294..c0543a366 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2004-12-11
+ 2004-12-31
2001-2004
@@ -2223,6 +2223,67 @@ eth0 192.168.1.0/24 :4000-5000 tcp
+
+
+ IPSEC (Added in Shorewall version 2.2.0)
+
+
+ If you specify a value other than "-" in this column, you must
+ be running kernel 2.6 and your kernel and iptables must include
+ policy match support.
+
+ The value in this column is a comma-separated list of options
+ from the following. Only packets that will be encrypted via an SA
+ that matches these options will have their source address
+ changed.
+
+
+
+ Yes or yes ― Match any SA. Normally used as the only
+ option.
+
+
+
+ reqid=<number> where
+ <number> is specified using setkey(8)
+ using the 'unique:<number>' option
+ for the SPD level.
+
+
+
+ spi=<number> where
+ <number> is the SPI of the SA.
+
+
+
+ proto=ah|esp|ipcomp
+
+
+
+ mode=transport|tunnel
+
+
+
+ tunnel-src=<address>[/<mask>]
+ (only available with mode=tunnel)
+
+
+
+ tunnel-dst=<address>[/<mask>]
+ (only available with mode=tunnel)
+
+
+
+ strict — Means that packets must match all rules.
+
+
+
+ next — Separates rules; can only be used with
+ strict.
+
+
+
+