Re: ikev2 and a win7 road warrior host

Tue, 22 May 2012 03:57:45 -0700 

Certificates are now accepted.

iked -dvv give me :

...
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x08 -> 0x0c auth,sa (required 0x0f cert,valid,auth,sa)
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x0c -> 0x0e valid,auth,sa (required 0x0f cert,valid,auth,sa) 
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0e, require 0x0f cert,valid,auth,sa
...

I have the following error on the win7 connection :
"Error 1931: the context has expired and can no longer be used"

Any idea ?

So here what i have done :

ikectl ca vpn certificate 192.168.0.51 create #(for server)
ikectl ca vpn certificate 192.168.0.51 install #(for server)

ikectl ca vpn certificate win7test create #(for win7)
ikectl ca vpn certificate win7test export #(for win7)

and /etc/iked.conf :
ikev2 esp \
from 192.168.0.0/24 to any peer any

--
Wesley

Le 2012-05-22 10:14, Wesley a C)critB :

Hi,

I'm trying to have this
192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
working.

Gw : (OpenBSD 5.1) hostname vpn.X.net
lan have 192.168.0.51/24
egress have a static ip address : aa.bb.cc.dd
lan, egress are groups to easily manage PF.

win7rw : Host Windows7 Road Warrior with
dynamic ip address
hostname : win7test
ikev2 ip address : 192.168.0.77/24

What i have done :
pkg_add zip
net.inet.ip.forwarding=1
2 groups for network cards : lan,egress

PF.conf:
set block-policy drop
set skip on {lo,enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto esp
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
pass out on egress
pass on lan

Create certificates :
ikectl ca vpn create
ikectl ca vpn install

Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd ? 
ikectl ca vpn certificate ? create #(for server)
ikectl ca vpn certificate ? install #(for server)
-For win7, i need a certificate host for win7test ? or 192.168.0.77 ? 
ikectl ca vpn certificate ?? create #(for win7)
ikectl ca vpn certificate ?? export #(for win7)

-On the GW
/etc/iked.conf:
ikev2 esp \
from any to any peer any \
srcid vpn.X.net \
config address 192.168.0.77

Run /sbin/iked -dvv

Finally :
On the win7, open certmgr.msc to add the certificates
add the 2 pfx certificates in the "Trusted Root Certification
Authorities store"
And create a IKEV2 connection without EAP.

Thank you very much for your help.

Cheers,

Wesley M.A.

Reply via email to