On Mon, May 14, 2012 at 12:53:34PM +0200, Mike Belopuhov wrote: > 4) Install the server certificate on the server: > > ikectl ca vpn certificate 10.1.0.1 install > > 5) To export the client certificate in a ZIP'ed PFX format, you need > to install zip utility (pkg_add -i zip). > > ikectl ca vpn certificate 10.5.0.1 export >
Does the .tgz file need to be extracted at all on the server? I've tried and tried for too long and my certificates are out of sync I think, is there a command to delete everything and just keep the original blank iked structure so that one can start over without old certificates in the way? > 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates > by doubleclicking on them. Make sure that certificates are valid > in the MMC Certificates Snap-In. This gave me a huge headache. I tried using MMC (as administrator and other user) but my vpn client stayed at 13806 error. Perhaps VPN wasn't meant for people like me. > 7) Configure iked to do RSA auth w/o EAP (for the start): > > ikev2 "win7" passive esp \ > from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ > srcid 10.1.0.1 \ > config address 192.168.1.100 \ > config name-server 192.168.0.1 > > Here, 192.168.0.0/24 is a network client is getting access to, > 192.168.1.0/24 is a "DHCP"-like network from which client is > getting an ip address (192.168.1.100 specifically). Please > note, that the code to turn this awkwardness into real (DHCP-like) > address pool specification is not written yet. Note that srcid > has to match the host that the certificate is issued to, otherwise > windows will refuse to connect. > > Once you do that you can load iked and see that it hooks up the > server certificate (in the iked -dvv output that is). > > 7) Now on the windows box, go to the Network Connections Center > and create an IKEv2 VPN connection with the client. Make sure > to check the Certificate radio button on the Security tab in > the connection properties, so that you won't do EAP. > > 8) Start the connection. > > 9) Profit!!! > > PS. > > If someone thinks that this might be turned into some sort of a > howto or FAQ entry or whatever, please feel free to reuse any > piece of text. Attribution is welcomed but not required. Would love to write something if it worked considering I've struck out so many times with this. -peter