Have a look at the discussion between me and Mike Belopuhov that took
place not so long ago here... We have covered most of the troubles that
you might have met following the man pages.
22.05.2012 10:14, Wesley P=P0P?P8QP0P;:
Hi,
I'm trying to have this
I already read your posts ;-) and also man pages (ikectl, iked.conf and
iked)
But now it is for a road warrior configuration.
I don't understand these parts :
Parts that i don't understand, if someone can help me on :
-For server, i need a certificate server for vpn.X.net ? or aa.bb.cc.dd
?
Certificates are now accepted.
iked -dvv give me :
...
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x08 - 0x0c auth,sa (required 0x0f cert,valid,auth,sa)
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x0c - 0x0e valid,auth,sa (required 0x0f
cert,valid,auth,sa)
Working iked.conf that runs without a problem:
ikev2 win7 quick passive esp inet proto udp \
from $local_net to $client_net local local.endpoint.net peer
remote.endpoint.net \
srcid local.endpoint.IP.address \
dstid remote endpoint's certificate distinguished name \
22.05.2012 17:23, Pavel Shvagirev P=P0P?P8QP0P;:
peer.endpoint.net - is an initiator side (win7 machine). Win7's cert
must be issued to that IP.
I mean remote.endpoint.net here
Two more notes:
1. Win7 connection shoud be set up to the openbsd's IP address, not the
FQDN. (the first tab in the
First thank you very much for your time and reply. I appreciate.
Therefore win7 is a road warrior host so dynamic address.
so the iked.conf become :
ikev2 win7 passive esp \
from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \
srcid aa.bb.cc.dd \
config address 10.10.10.7
It works !!! ;-)
Just doing below.
--
Wesley
Le 22 mai 2012 ` 19:29, Wesley MOUEDINE ASSABY a icrit :
First thank you very much for your time and reply. I appreciate.
Therefore win7 is a road warrior host so dynamic address.
so the iked.conf become :
ikev2 win7 passive esp \
from
7 matches
Mail list logo