Have a look at the discussion between me and Mike Belopuhov that took
place not so long ago here... We have covered most of the troubles that
you might have met following the man pages.
22.05.2012 10:14, Wesley P=P0P?P8Q�P0P;:
> Hi,
>
> I'm trying to have this
> 192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
> working.
>
> Gw : (OpenBSD 5.1) hostname vpn.X.net
> lan have 192.168.0.51/24
> egress have a static ip address : aa.bb.cc.dd
> lan, egress are groups to easily manage PF.
>
> win7rw : Host Windows7 Road Warrior with
> dynamic ip address
> hostname : win7test
> ikev2 ip address : 192.168.0.77/24
>
> What i have done :
> pkg_add zip
> net.inet.ip.forwarding=1
> 2 groups for network cards : lan,egress
>
> PF.conf:
> set block-policy drop
> set skip on {lo,enc0}
> match out on egress from lan:network to any nat-to egress
> block log all
> pass in on egress proto esp
> pass in on egress proto udp from any to any port {500,4500}
> pass in on egress proto tcp from any to any port 22
> pass out on egress
> pass on lan
>
> Create certificates :
> ikectl ca vpn create
> ikectl ca vpn install
>
> Parts that i don't understand, if someone can help me on :
> -For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ?
> ikectl ca vpn certificate ? create #(for server)
> ikectl ca vpn certificate ? install #(for server)
>
> -For win7, i need a certificate host for win7test ? or 192.168.0.77 ?
> ikectl ca vpn certificate ?? create #(for win7)
> ikectl ca vpn certificate ?? export #(for win7)
>
> -On the GW
> /etc/iked.conf:
> ikev2 esp \
> from any to any peer any \
> srcid vpn.X.net \
> config address 192.168.0.77
>
> Run /sbin/iked -dvv
>
> Finally :
> On the win7, open certmgr.msc to add the certificates
> add the 2 pfx certificates in the "Trusted Root Certification
> Authorities store"
> And create a IKEV2 connection without EAP.
>
> Thank you very much for your help.
>
> Cheers,
>
> Wesley M.A.
>
--
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev
