This was originally posted to ports. I'm re-posting to misc with some more
context.
I've started to use IPsec between my OpenBSD hosts. So far, this has
been setup manually copying around the local.pub keys and setting up iked.
I noticed the ikectl command has the ca sub-command. I'm curious if
anyone has been running host-to-host IPsec for their OpenBSD clusters?
If so, how did you automate managing the key distribution, and other
support like the iked.conf and /etc/hosts?
The cluster is geographically distributed, using networks of opportunity that
can't be implicitly trusted. I'm the sole manager for the hosts though. The
use of the word "cluster" is pretty loose in this context. It's not in the HPC
sense, but more like a set of hosts providing related services.
I've used kernel WireGuard in the past (worked great). Adding the overlay
network did make things more complicated though. This led to experimentation
with IPSec on global addresses.
It looks like you could script with ikectl, ssh, and rdist to get this
done. I'm curious what other approaches might be suggested.
TIA,
--Bruce
