On 2015-04-24, Yassen Damyanov <yassen_...@yahoo.com> wrote: >> On Friday, April 24, 2015 9:36 AM, Stuart Henderson <s...@spacehopper.org> >> wrote: > >> > On 2015-04-23, Yassen Damyanov <yassen_...@yahoo.com> wrote: >>> Now I would like to auto-configure the clients (ike config pull) and allow >>> for "Mutual psk + xauth" authentication. Having no any clue on >> how to do this >> >> OpenBSD isakmpd does not support xauth. >> >> There is user authentication available in IKEv2 (iked), but this is a >> different protocol, and you can't run it alongside isakmpd on the same >> machine. > > > Stuart, thanks much for your help. > > How about running on different ports, maybe different enc interface, on the > same machine?
This came up before: http://thread.gmane.org/gmane.os.openbsd.tech/35967/focus=35967 Sadly this is not currently possible, firstly the port numbers are defined by the protocol and can't be changed (different IPs could theoretically work, but would need code changes as iked doesn't support binding to a specific address) but secondly, iked clears SAs from the kernel so any existing isakmpd sessions get broken.
