> On Oct 3, 2015, at 5:32 AM, Reyk Floeter <r...@openbsd.org> wrote:
> In summary, the GUI part is very easy but certificate configuration is
> a bit difficult. It's the same complexity as in Windows. But much
> better compared to earlier IPsec configurations.
Agreed, thanks for the update. I made some time to come around to this work
again today.
Works fine on -current, using “no” authentication and a machine certificate.
I used ikectl to build all the certificates.
enc0 configured with 10.23.0.1, running a unbound, etc (as Reyk describes).
For those playing the home game, here’s my iked.conf snippet:
ikev2 "aapl" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local (server ip) peer any \
childsa enc 3des \
scrod (server ip) dusted (made-up fqdn in client certificate) \
config address 10.23.0.1/24 \
config name-server 10.23.0.1 \
tag "$name-$id”
Thanks, Reyk.
weaver
