On 2018/02/22 09:51, Joel Carnat wrote:
> Le 22/02/2018 09:35, Stuart Henderson a écrit :
> > On 2018-02-22, Igor V. Gubenko <i...@gubenko.com> wrote:
> > > I am far from an expert; having issues myself at the moment, but maybe
> > > if we get all of the iked experimenters together, we can figure it out
> > > :)
> > This definitely isn't going to work, iked only supports
> > username/password
> > authentication as a responder. not initiator.
> Is there any software that enables openbsd to be an ipsec initiator using
> user/pass ?
Not for IKEv2. OpenBSD iked as client supports psk but not EAP for
user/password. afaik no other implementations have been ported.
By far the simplest way which doesn't rely on psk, if the other side
supports it, is to use iked with public keys (without using x509 pki)
- just copy local.pub from one side to the appropriate subdirectory of
pubkeys/ on the other.
It *may* be possible for IKEv1 with xauth using vpnc, but it's old
all-userland software, not using the standard OpenBSD IPsec stack, the
port (and probably upstream software) are not really maintained.
No modern crypto.