I'm not sure if it's relevant for your situation, but do you know that, according to the iked(8) manpage, iked is 'not finished' and not recommended for production networks? (See the last section - 'caveats')
It might be better to use isakmpd(8) with ipsec(4)/ipsecctl(8)/ipsec.conf(5) if your running this in production. On Wed, Aug 15, 2012 at 01:36:47PM -0400, Bentley, Dain wrote: > Hello Misc, > I'm having a small issue with my iked.conf on my openbsd 4.9 firewall. I have > the following config and it works fine: > > Ikev2 "laptop" passive esp \ > From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ > srcid xxx.xxx.xxx.xxx \ > config address 1.1.1.2 > > > I have a win 7 laptop with certs and I connect with no issue. Now I'd like to > add a couple of more clients in the mix. So I created certs for them and > distributed them correctly and now have the following: > > > Ikev2 "home-PC" passive esp \ > From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ > srcid xxx.xxx.xxx.xxx \ > config address 1.1.1.3 > > > Ikev2 "laptop" passive esp \ > From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ > srcid xxx.xxx.xxx.xxx \ > config address 1.1.1.2 > > > > But when I connect I cannot and starting iked -dvv shows it's trying to > connect with the "laptop" policy. I'm afraid I have the config wrong. Is > this the correct way to add multiple clients and if not what would I do? I > can't seem to find any info on the web or man pages.
