On 2020/02/16 18:25, Peter Müller wrote: > Hello Stuart, > > thanks for your quick reply. > > > > On 2020-02-14, Peter Müller <peter.muel...@link38.eu> wrote: > >> Hello openbsd-misc, > >> > >> during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec > >> client on an > >> OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing > >> policies for CHILD_SA > >> fails (as expected): > >> > >>> unable to install IPsec policies (SPD) in kernel > >>> failed to establish CHILD_SA, keeping IKE_SA > >> > >> To those who are running strongSwan as an IPsec client on OpenBSD: Which > >> is the best > >> procedure in this case? Are there other methods of installing IPsec > >> policies into the > >> kernel available? > > > > strongSwan's module to install policies to the kernel (kernel-pfkey) does > > not support OpenBSD without making code changes. Not impossible but hasn't > > been done. Only their userland setup that works with tun(4) devices > > (slightly confusingly called kernel-ipsec) is available. > > Hm, after fiddling around for a while, I am a bit helpless on this. Do you > happen to have > some example configuration? If yes, I would be very grateful to see it. :-)
I put a sanitized version of my config in the pkg-readme file in the strongswan package - but I only used it for a very basic EAP-MSCHAP client (and I don't know strongswan very well; I normally only use it on Android with the gui configuration tool) so there is nothing fancy in there.