On 2018-11-26, Thuban <thu...@yeuxdelibad.net> wrote:
> Hi,
> I need some advice to configure an iked server. I guess it's called
> "roadwarrior", but as english is not my main language, here is what I
> need :
> * Connect to this server via any device (no certificate at first)
> * Allow any incoming IP to connect.
> * Route the traffic to the web through the vpn.
>
> What I did on the server after reading the list and manpages :
>
> # cat /etc/sysctl.conf
> net.inet.ip.forwarding=1
> net.inet.ipcomp.enable=1
>
> # echo "up" > /etc/hostname.enc0
> # sh /etc/netstart enc0
>
> # cat /etc/pf.conf
> set skip on enc0
Here you tell PF to completely ignore traffic on enc0...
> pass in on egress proto udp from any to any port {isakmp, ipsec-nat-t}
> pass out on egress proto udp from any to any port {isakmp, ipsec-nat-t}
> pass in on egress proto esp
> pass out on egress proto esp
> match out on enc0 from 192.168.47.160/27 nat-to (egress:0)
...and here you tell it to NAT traffic on enc0. This isn't going to
do what you want because it's already ignoring that traffic.
> # cat /etc/iked.conf
> user "test" "password12345"
> ikev2 "warrior" passive ipcomp esp \
> from any to any \
> peer any \
> srcid "hostname.tld" \
> local ip.ip.ip.ip \
> peer any \
> eap "mschap-v2" \
> config address 192.168.47.160/27 \
> tag "$name-$id"
iked only supports mschapv2 on the responder ("server side"), not on
the client ("initiator").
If you're only doing openbsd<>openbsd here then see "PUBLIC KEY
AUTHENTICATION" in iked(8), that's the simplest way and doesn't
require x509 certificates.
