Working iked.conf that runs without a problem: ikev2 "win7" quick passive esp inet proto udp \ from $local_net to $client_net local local.endpoint.net peer remote.endpoint.net \ srcid local.endpoint.IP.address \ dstid "remote endpoint's certificate distinguished name" \ rsa \ config address 192.168.126.2 \ config name-server 192.168.0.126 \ tag ipsec_$name
Certificate must be issued for win7 endpoint as described above and imported properly on Win machine. As well as CA's certificate. 192.168.126.2 is the IP address that Win7 machine will get on IPSec interface. 192.168.0.126 is the nameserver that will be assigned for that interface. RSA parameter is generally not needed, as well as TAG. local.endpoint.net - can be a FQDN that will be resolved into the IP address of the local endpoint - the point that acts like a responder (openbsd machine running iked). OpenBSD's certificate must be issued to the `host local.endpoint.net' IP address. peer.endpoint.net - is an initiator side (win7 machine). Win7's cert must be issued to that IP. That scheme works for me right now. 22.05.2012 14:52, Wesley P=P0P?P8QP0P;: > "Error 1931: the context has expired and can no longer be used" -- Best regards, Pavel Shvagirev skype: pavel.shvagirev