Sorry for the message form.
Here is better :
http://pastebin.com/dxTrasGM
Thank you for your help.
Or :
*
I'm using an OpenBSD Gateway running :
*
OpenBSD vpn.area.lan 5.1
GENERIC.MP#214 i386
*
*
So what i'm trying to build:
*
<10.10.0.0/24>----rl0----[obsd]----rl1----(INTERNET)----(win7 with
dynamic IP)
*
*
IP Address (INTERNET, rl1) : AA.BB.CC.DD
*
Dynamic IP for win7 : RR.WW.RR.WW
*
*
I start the ikev2 vpn (it
stop on password and user
*
verification) and have this on the OBSD
gateway :
*
*
tail -f /var/log/daemon :
*
Apr 2 12:13:22 vpn
iked[19494]: ikev2_recv: IKE_SA_INIT from initiator RR.WW.RR.WW:59317 to
AA.BB.CC.DD:500 policy 'win7', 528 bytes
*
Apr 2 12:13:22 vpn
iked[19494]: ikev2_msg_send: IKE_SA_INIT fromAA.BB.CC.DD:500 to
RR.WW.RR.WW:59317, 325 bytes
*
Apr 2 12:13:22 vpn iked[19494]:
ikev2_recv: IKE_AUTH from initiator RR.WW.RR.WW:58268 to
AA.BB.CC.DD:4500 policy 'win7', 1164 bytes
*
*
Any idea ?
*
Thank you very much.
*
*
-- OpenBSD Gateway :
*
*
rl0
group : lan
*
rl1 group : egress
*
*
IP Address (INTERNET,
rl1) : AA.BB.CC.DD
*
*
iked.conf:
*
user "bandit" "123456"
*
ikev2 "win7" passive esp from 10.10.3.0/24 to 10.10.0.0/24
*
local any peer any
*
eap "mschap-v2"
*
config address
10.10.3.7
*
config name-server 10.10.0.51
*
tag "$name-$id"
*
*
pf.conf:
*
set skip on {lo,enc0}
*
set block-policy
drop
*
match out on egress from lan:network to any nat-to egress
*
block log all
*
pass out
*
pass in on egress proto esp
*
pass in on egress proto udp to port 500
*
pass in on egress proto
udp to port 4500
*
pass in on egress proto tcp to port 22
*
pass
in on lan inet from lan:network to any
*
*
net.inet.ip.forwarding
*
= 1
*
*
What i have done about
certificates :
*
ikectl ca vpn create
*
ikectl ca vpn
certificate AA.BB.CC.DD create
*
ikectl ca vpn install
*
ikectl
ca vpn certificate AA.BB.CC.DD install
*
ikectl ca vpn certificate
AA.BB.CC.DD export
*
*
I put the certs exported on the win7
workstation.
*
And then run iked.
*
*
-- Win7 workstation
*
Import certificate in mmc snap (Certificates/Authority)
