Hello, I have configured OpenIKED Site-to-Site VPN between two gateways: serv73 - OBSD6.1, IP A.B.C.73, serv75 - OBSD6.2, IP A.B.C.75. I seems to work fine.
I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication. After spending some time with playing around that I can not find the proper configutarion. I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong. I have read manuals but not everything is clear for me. On win7 I got 809 error. Client is configured as below: https://hide.me/en/vpnsetup/windows7/ikev2/ Any help appreciated :) My configs: [root@@serv75/home/rdk:]iked -dv ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes ca_getreq: no valid local certificate found ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes root@@serv75/home/rdk:]cat /etc/iked.conf remote_gw73 = "A.B.C.73" # serv33 remote_lan73 = "10.0.73.0/24" local_gw = "10.0.75.254" # serv75 local_lan = "10.0.75.0/24" dns1 = "8.8.8.8" ikev2 active esp from $local_gw to $remote_gw73 \ from $local_lan to $remote_lan73 peer $remote_gw73 \ psk "test123" user "test" "pass1234" ikev2 "roadwarrior" passive esp \ from 0.0.0.0/0 to 10.0.75.0/24 \ local any peer any \ eap "mschap-v2" \ config address 10.0.75.123 \ config name-server 8.8.8.8 \ tag "$name-$id" [root@@serv75/home/rdk:]cat /etc/pf.conf ext_if = "vr0" lan_if = "vr1" # vr1 lan_local = $lan_if:network # 10.0.75.0/24 ext_ip = "A.B.C.75" bud = "A.B.C.0/25" rdkhome_wy = "YY.YY.YY.YY" rdkhome_mon = "XX.XX.XX.XX" ssh_port = "1071" icmp_types = "{ echoreq, unreach }" table <vpn_peers> const { A.B.C.73, A.B.C.74 } set skip on { lo, enc0 } block return on $ext_if # block stateless traffic match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6) pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \ set prio (1, 6) keep state pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state pass out quick on trust received-on enc0 keep state pass out log proto tcp set prio (1, 6) keep state pass log proto udp set prio (1, 6) keep state pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state block return in on ! lo0 proto tcp to port 6000:6010 [root@@serv75/home/rdk:]cat /etc/hostname.vr0 inet A.B.C.75 255.255.254.0 NONE description "WAN75" group trust [root@@serv75/home/rdk:]cat /etc/hostname.vr1 inet 10.0.75.254 255.255.255.0 NONE description "LAN75" group trust [root@@serv75/home/rdk:]cat /etc/hostname.enc0 up [root@@serv75/home/rdk:]cat /etc/rc.conf.local iked_flags=YES ntpd_flags="-s" dhcpd_flags="vr1 vr2 vr3" [root@@serv75/home/rdk:]cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ipcomp.enable=1 net.inet.esp.enable=1 -- radek
