Hi,
I'm using an OpenBSD Gateway running :
OpenBSD vpn.area.lan
5.1 GENERIC.MP#214 i386
So what i'm trying to build
:
<10.10.0.0/24>----rl0----[obsd]----rl1----(INTERNET)----(win7 with
dynamic IP)
IP Address (INTERNET, rl1) : AA.BB.CC.DD
Dynamic IP for
win7 : RR.WW.RR.WW
I start the ikev2 vpn (it stop on password and user
verification) and have this on the OBSD gateway :
tail -f
/var/log/daemon :
Apr 2 12:13:22 vpn iked[19494]: ikev2_recv:
IKE_SA_INIT from initiator RR.WW.RR.WW:59317 to AA.BB.CC.DD:500 policy
'win7', 528 bytes
Apr 2 12:13:22 vpn iked[19494]: ikev2_msg_send:
IKE_SA_INIT fromAA.BB.CC.DD:500 to RR.WW.RR.WW:59317, 325 bytes
Apr 2
12:13:22 vpn iked[19494]: ikev2_recv: IKE_AUTH from initiator
RR.WW.RR.WW:58268 to AA.BB.CC.DD:4500 policy 'win7', 1164 bytes
Any
idea ?
Thank you very much.
-- OpenBSD Gateway :
rl0 group : lan
rl1
group : egress
IP Address (INTERNET, rl1) : AA.BB.CC.DD
iked.conf
:
user "bandit" "123456"
ikev2 "win7" passive esp
from 10.10.3.0/24 to
10.10.0.0/24
local any peer any
eap "mschap-v2"
config address
10.10.3.7
config name-server 10.10.0.51
tag "$name-$id"
pf.conf
:
set skip on {lo,enc0}
set block-policy drop
match out on egress from
lan:network to any nat-to egress
block log all
pass out
pass in on
egress proto esp
pass in on egress proto udp to port 500
pass in on
egress proto udp to port 4500
pass in on egress proto tcp to port
22
pass in on lan inet from lan:network to any
net.inet.ip.forwarding
= 1
What i have done about certificates :
ikectl ca vpn create
ikectl
ca vpn certificate AA:BB:CC:DD create
ikectl ca vpn install
ikectl ca
vpn certificate AA:BB:CC:DD install
ikectl ca vpn certificate
AA:BB:CC:DD export
I put the certs exported on the win7 workstation.
And then run iked.
-- Win7 workstation
Import certificate in mmc
snap (Certificates/Authority)
Wesley.
