On Thu, Oct 4, 2012 at 6:13 AM, Erling Westenvik <erling.westen...@gmail.com> wrote: > Shamefully I must admit what many OpenBSD'ers consider a crime worse > than intercourse with the devil, namely to follow a so-called "Howto" > (http://www.mouedine.net/) and within minutes having my daughters > Windows 7 road "warrior" up and running connected to my OpenBSD gateway > using IKEv2. > > Luckily for those that think natively in man pages, I'm stuck with how > to achieve the same thing with my OpenBSD real road warriors, so now is > your chance to tell me off. > > On the gateway the following /etc/iked.conf works for the win7 client: > > # cat /etc/iked.conf > ikev2 passive esp \ > from 192.168.3.0/24 to 10.10.10.0/24 local a.b.c.d peer any \ > srcid a.b.c.d \ > config address 10.10.10.7 > > I've generated certificates for one of my OpenBSD clients: > > # ikectl ca vpn certificate t500 create (+ export) > > copied them to the client and extracted them according to ikectl(8): > > # tar -C /etc/iked laptop -xzpf t500.tgz > > which brought /etc/iked on the laptop to contain: > > ./ca/ca.crt > ./certs/t500.crt > ./crls/ca.crl > ./export/ca.pfx > ./export/t500.pfx > ./private/t500.key > ./private/local.key > ./local.pub > > What is difficult to derive from the multitude of man pages from this > point onward, is: > > 1) how to add the client to /etc/iked.conf on the gateway.
"config address" cannot be used by the ikev2 client implemented in the iked. also you might find out that certificates are not working in the client setup. i'm working on fixing the latter right now. > 2) how to configure and start the client. > for now your only option is to use psk and a different server rule. please make sure to use different "local" ip addresses on the server otherwise you won't be able to match multiple policies. that's something we need to address as well. > I think I'll be able to figure out most of it if someone would just > point me in the right direction. > > Cheers, > Erling
