Le Thu, Mar 02, 2023 at 03:44:35PM +0000, Stuart Henderson a écrit : > On 2023/03/01 22:15, A Tammy wrote: > > > > > > -# Configuration for clients connecting with EAP authentication. > > > +# Configuration for clients connecting with EAP authentication > > > +# and sending all traffic over the IKEv2 tunnel. > > > # Remember to set up a PKI, see ikectl(8) for more information. > -# Configuration for a client authenticating with a pre-shared key. > +# Configuration for a client authenticating with a pre-shared key, > +# mostly useful for LAN-to-LAN tunnels between static IP endpoints. > +# > +# For iked->iked tunnels you can use a simple config using RSA keys > +# instead - omit psk and copy /etc/iked/local.pub on each side to > +# /etc/iked/pubkeys/ipv4/<address> on the other. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That part is definitely the most important for ppl building OpenBSD/iked site-to-site vpns, as its dummy-proof and just works.
