If you mean OpenBSD "at the office" and OpenBSD on a roaming laptop,
this works for me (tm):
"At the office" iked.conf:
ikev2 dion passive esp \
from 192.168.99.0/24 to 192.168.100.3 \
local 192.168.99.1 peer any \
srcid vpn.example.com dstid dion.example.com
On "the wanderer" iked.conf:
ikev2 home active esp \
from egress to 192.168.99.0/24 \
local egress peer vpn.example.com \
srcid dion.example.com dstid vpn.example.com
On the "wanderer" pf.conf:
match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 static-port
Some notes:
- Authentication is made using certificates. See man isakmpd for that.
- The server's running 6.0-stable, the client is on -current, both amd64
- Adding srcnat to the client's iked.conf:
"from egress (192.168.100.3)..."
as per the man page actually breaks this setup for me. The tunnel is
up but nothing goes through it. This changed around 6.0 (sorry but
can't pinpoint it).
- "static-port" on the PF rule is there because I want to mount some NFS
shares and pf "bumped" the port too high and the server wouldn't take
it. You shouldn't use it unless you really need it.
Hope it helps.
Cheers
Zé
On Mon, Oct 03, 2016 at 04:48:25PM +0300, Pavel Korovin wrote:
> Dead all,
>
> Does anybody use iked(8) for remote access (aka Road Warrior setup)
> from OpenBSD clients? There's a lot of info on setting it up for
> Windows/Android/iOS clients, but I didn't find anything about
> OpenBSD clients setup.
>
> I have such setup but with recent changes to iked my VPN connection is
> somewhat unstable.
>
> --
> With best regards,
> Pavel Korovin
>
--
