Shamefully I must admit what many OpenBSD'ers consider a crime worse
than intercourse with the devil, namely to follow a so-called "Howto"
(http://www.mouedine.net/) and within minutes having my daughters
Windows 7 road "warrior" up and running connected to my OpenBSD gateway
using IKEv2.
Luckily for those that think natively in man pages, I'm stuck with how
to achieve the same thing with my OpenBSD real road warriors, so now is
your chance to tell me off.
On the gateway the following /etc/iked.conf works for the win7 client:
# cat /etc/iked.conf
ikev2 passive esp \
from 192.168.3.0/24 to 10.10.10.0/24 local a.b.c.d peer any \
srcid a.b.c.d \
config address 10.10.10.7
I've generated certificates for one of my OpenBSD clients:
# ikectl ca vpn certificate t500 create (+ export)
copied them to the client and extracted them according to ikectl(8):
# tar -C /etc/iked laptop -xzpf t500.tgz
which brought /etc/iked on the laptop to contain:
./ca/ca.crt
./certs/t500.crt
./crls/ca.crl
./export/ca.pfx
./export/t500.pfx
./private/t500.key
./private/local.key
./local.pub
What is difficult to derive from the multitude of man pages from this
point onward, is:
1) how to add the client to /etc/iked.conf on the gateway.
2) how to configure and start the client.
I think I'll be able to figure out most of it if someone would just
point me in the right direction.
Cheers,
Erling
