took a quick stab at getting iked working because isakmpd is so awesome.
i was not able to figure out the proper way to get the CA cert and host
cert and key imported to a non-CA host.
i am using hosts 10.160.0.10 and 10.160.0.150 and the vpn subnets will
be 10.160.10.0/24 on 10.160.0.10 and 10.160.150.0/24 on 10.160.0.150.
the vpn subnets are vlan0 on each of these hosts, so that vlan0 on
10.160.0.10 has ip 10.160.10.1 and vlan0 on 10.160.0.150 has ip
10.160.150.1.
created ca key and cert on 10.160.0.10 with the following info
subject=/C=US/O=iked test/OU=iked
ca/CN=10.160.0.10/emailaddress=r...@10.160.0.10
using command 'ikectl ca test create'. created host key and cert on
10.160.0.10 for host 10.160.0.10 with the following info
subject=/C=US/O=iked test/OU=iked
host/CN=10.160.0.10/emailaddress=r...@10.160.0.10
create host key and cert for 10.160.0.150 on 10.160.0.10 with the
following info
subject=/C=US/O=iked test/OU=iked
host/CN=10.160.0.150/emailaddress=r...@10.160.0.150
the trouble now is getting the 10.160.0.150 cert, key and CA cert
installed on 10.160.0.150. afaict there is no ikectl command to effect
this. clues appreciated.
i did initially want to test iked using PSK to get the simplest possible
config but it appears that is somewhat at odds with the PKI setup that
is encoded in ikectl.
