On Mon, Sep 13, 2010 at 06:59:03PM -0500, Jacob Yocom-Piatt wrote: > took a quick stab at getting iked working because isakmpd is so > awesome. i was not able to figure out the proper way to get the CA > cert and host cert and key imported to a non-CA host. > > i am using hosts 10.160.0.10 and 10.160.0.150 and the vpn subnets > will be 10.160.10.0/24 on 10.160.0.10 and 10.160.150.0/24 on > 10.160.0.150. the vpn subnets are vlan0 on each of these hosts, so > that vlan0 on 10.160.0.10 has ip 10.160.10.1 and vlan0 on > 10.160.0.150 has ip 10.160.150.1. > > created ca key and cert on 10.160.0.10 with the following info > > subject=/C=US/O=iked test/OU=iked > ca/CN=10.160.0.10/[email protected] > > using command 'ikectl ca test create'. created host key and cert on > 10.160.0.10 for host 10.160.0.10 with the following info > > subject=/C=US/O=iked test/OU=iked > host/CN=10.160.0.10/[email protected] > > create host key and cert for 10.160.0.150 on 10.160.0.10 with the > following info > > subject=/C=US/O=iked test/OU=iked > host/CN=10.160.0.150/[email protected] > > the trouble now is getting the 10.160.0.150 cert, key and CA cert > installed on 10.160.0.150. afaict there is no ikectl command to > effect this. clues appreciated.
The cert export command will create a tarball you can extract on the other side. > > i did initially want to test iked using PSK to get the simplest > possible config but it appears that is somewhat at odds with the PKI > setup that is encoded in ikectl. PSK should work fine.
