On Thursday, October 4, 2012, Erling Westenvik wrote: > On Thu, Oct 04, 2012 at 01:40:30PM +0200, Mike Belopuhov wrote: > > for now your only option is to use psk and a different server > > rule. please make sure to use different "local" ip addresses > > on the server otherwise you won't be able to match multiple > > policies. that's something we need to address as well. > > Thanks. And good luck with the implementation of IKEv2. It looks really > promising! > > And sorry for my attempt to joke about howto's. For people like me they > are sometimes a necessary evil. > > Toying with iked.conf for a while, I've found that the best place to start is (on the client):
ikev2 active esp \ from <ipv4:here> to <elsewhere:there> \ local <ipv4:here> peer <ipv4:there> \ srcid <ipv4:here> dstid <ipv4:there> ...with (a) "active" and (b) "srcid" being important because (a) iked.conf defaults everything to "passive", and (b) /etc/myname is sent as srcid, while the iked.conf manpage suggests the creation of X509 using ipv4s. Obviously this won't help with the road warrior configuration directly (since srcid is tied down) but maybe when you figure it out you can tell me how it actually works. :) -- Andrew Ngo
