On Mon, Nov 10, 2014 at 02:06:33PM +0100, Mike Belopuhov wrote: > hi, > > psk is now fixed in current. > > there are two other ways to authenticate hosts: rsa pubkeys (a recent > addition - works the same way as in isakmpd) and x.509 certificates. > both these options do not require any special config options (it's "rsa" > actually, but that's the default) and will be hooked up on startup. > > the procedure to setup x.509 certificates is described in ikectl(8) and > i would strongly suggest using this tool. > > regarding rsa keys: i have just committed a man page update taken from > isakmpd(8) but essentially it's just an > > hostA# scp /etc/iked/local.pub > root@hostB:/etc/iked/pubkeys/ipv4/host.A.IP.Addr > hostB# scp /etc/iked/local.pub > root@hostA:/etc/iked/pubkeys/ipv4/host.B.IP.Addr > > and off you go. > > the important part is to keep your srcids and dstids sane, for instance > if you're installing pubkeys under /ipv4/ you should use IPv4 IDs in > the iked.conf. > > hope this helps and please try with -current iked again.
Hi, I downloaded and installed -current's iked this morning and installed the local.pub files; I'm happy to report: Nov 11 08:37:51 venus iked[5335]: sa_state: VALID -> ESTABLISHED from 192.168.179.10:500 to 192.168.179.1:500 policy 'policy1' Thank you very very much MikeB! And thank you to the other fellow in this thread too! I'm a very happy camper, and aes encrypted again! -peter
