Just want to highlight that there is a FAQ document checked in that provides some samples of iked configurations for road-warrior setup.
I am using almost the same setup provided in the sample, and I can only have one client connected at a time. Once the 2nd client connects it will stop the first client from working. Hope this helps with others until it is fixed. > On 26 Feb 2019, at 10:51 PM, Michael Lam <mich...@jasworks.org> wrote: > > > >> On 26 Feb 2019, at 5:11 AM, William Ahern <will...@25thandclement.com> wrote: >> >> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote: >>> Hi, >>> >>> I have a very straight forward setup use case that I want to use my >>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior >>> connections from the Internet and route all traffics through my >>> router. >>> >>> I am using a ms-chapv2 authentication and a letsencrypt certificate, >>> which I can successfully obtain. All my clients are Apple devices >>> with latest iOS installed. They normally are connected to the Internet >>> directly without going through this router. >>> >>> Configuration as below: >>> >>> user "a" "123456" >>> user "b" "246810" >>> user "c" "135791" >>> >>> set passive >>> >>> ikev2 "rw" passive esp \ >>> from any to 172.20.11.0/24 \ >>> local any peer any \ >>> srcid my.fqdn.org \ >>> eap mschap-v2 \ >>> config protected-subnet 172.20.10.0/24 \ >>> config address 172.20.11/0/24 \ >>> config name-server 172.20.10.1 >>> >>> I use “from any” because I want all traffics to be routed to the >>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for >>> VPN allocation. That’s why I also have config address 172.20.11.0/24 >>> in the configuration. >>> >>> my.fqdn.org is a public IP address which I’ve obtained a domain name >>> pointing to it. >>> >>> I have this working flawlessly with all the devices individually. >> >> Are you sure things worked flawlessly with "from any". IIRC the "any" >> keyword doesn't work as expected and one must instead use "0.0.0.0/0" >> explicitly. I may be wrong but I'm fairly confident I lost an entire evening >> relearning that lesson not too long ago. > > Also responding to another user (due to some issue I can only get the > mailing list emails fixed.) > > I use a Letsencrypt certificate by doing the following: > 1. Copying the root certificate file from /etc/ssl/cert.pem (provided by > OpenBSD into "ca" folder. > 2. Putting the certificate file obtained from Letsencrypt into "cert" folder > under iked folder. > 3. Putting the full chain certificate file into the "ca" folder. > > And I got it working using from 0.0.0.0/0 to 172.20.11.0/24 > > Never got it working with: > > from any to any, or > From 0.0.0.0/0 to 0.0.0.0/0 > > config protected-subnet doesn't really do anything in my setup. > > >
