On 2023/03/01 22:15, A Tammy wrote: > > > > -# Configuration for clients connecting with EAP authentication. > > +# Configuration for clients connecting with EAP authentication > > +# and sending all traffic over the IKEv2 tunnel. > > # Remember to set up a PKI, see ikectl(8) for more information. > Is a PKI still needed in this example config? The comment seems to imply > that I need one even with PSK auth. > Like PKI is an alternative, so maybe something like - Setting up a PKI > is an alternative to using a PSK, see ikectl(8) for more information.
That block is for EAP and yes that needs some form of PKI (either a local CA, or at least a server certificate signed by another CA - but for the latter you have some awkward handling to assemble the files with the intermediate cert in the right place; iked has non-standard requirements). Could add a couple more lines to make that more clear though, and give some hints for people who don't know what PKI is - see below. On 2023/03/02 05:35, Crystal Kolipe wrote: > On Wed, Mar 01, 2023 at 04:53:00PM +0000, Stuart Henderson wrote: > > How about this? Show a strong psk in the example > > ... > > > -# psk "you-should-not-use-psk-authentication!" > > +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA" > > I strongly disagree with this change. > > Not only are you removing a note that psk authentication is a poor choice, > but you're also providing a _specific_ and otherwise strong key in the example > which new or unfamiliar users could _easily_ use believing that it was a good > choice. Could do something like this .. I do think it's important that if there's any example at all that it does give an indication that people might like to use a psk with a decent amount of entropy. (And that is exactly one of the reasons why my first thought was to delete the file..) Index: iked.conf =================================================================== RCS file: /cvs/src/etc/examples/iked.conf,v retrieving revision 1.2 diff -u -p -r1.2 iked.conf --- iked.conf 1 Mar 2023 22:45:25 -0000 1.2 +++ iked.conf 2 Mar 2023 15:20:47 -0000 @@ -8,7 +8,10 @@ # Configuration for clients connecting with EAP authentication # and sending all traffic over the IKEv2 tunnel. -# Remember to set up a PKI, see ikectl(8) for more information. +# +# EAP requires a server certificate; see ikectl(8) for more details +# on generating this with an iked-specific local CA. +# #ikev2 "eapclient" passive esp \ # from any to dynamic \ # local any peer any \ @@ -17,10 +20,16 @@ # config name-server 10.1.0.2 \ # tag "$name-$id" -# Configuration for a client authenticating with a pre-shared key. +# Configuration for a client authenticating with a pre-shared key, +# mostly useful for LAN-to-LAN tunnels between static IP endpoints. +# +# For iked->iked tunnels you can use a simple config using RSA keys +# instead - omit psk and copy /etc/iked/local.pub on each side to +# /etc/iked/pubkeys/ipv4/<address> on the other. +# #ikev2 esp \ # from 10.3.0.0/24 to 10.1.0.0/24 \ # from 10.5.0.0/24 to 10.1.0.0/24 \ # from 10.5.0.0/24 to 172.16.1.0/24 \ # local 192.168.1.1 peer 192.168.2.1 \ -# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA" +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA-replace-me"
