Hi,
I'm trying to have this
192.168.0.0/24--lan--5.1GW--egress--INTERNET--win7rw
working.
Gw : (OpenBSD 5.1) hostname vpn.X.net
lan have 192.168.0.51/24
egress have a static ip address : aa.bb.cc.dd
lan, egress are groups to easily manage PF.
win7rw : Host Windows7 Road Warrior with
dynamic ip address
hostname : win7test
ikev2 ip address : 192.168.0.77/24
What i have done :
pkg_add zip
net.inet.ip.forwarding=1
2 groups for network cards : lan,egress
PF.conf:
set block-policy drop
set skip on {lo,enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto esp
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
pass out on egress
pass on lan
Create certificates :
ikectl ca vpn create
ikectl ca vpn install
Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd
?
ikectl ca vpn certificate ? create #(for server)
ikectl ca vpn certificate ? install #(for server)
-For win7, i need a certificate host for win7test ? or 192.168.0.77 ?
ikectl ca vpn certificate ?? create #(for win7)
ikectl ca vpn certificate ?? export #(for win7)
-On the GW
/etc/iked.conf:
ikev2 esp \
from any to any peer any \
srcid vpn.X.net \
config address 192.168.0.77
Run /sbin/iked -dvv
Finally :
On the win7, open certmgr.msc to add the certificates
add the 2 pfx certificates in the "Trusted Root Certification
Authorities store"
And create a IKEV2 connection without EAP.
Thank you very much for your help.
Cheers,
Wesley M.A.
