Here's an addition to EXAMPLES for one of my frequent use cases that finally "just works".
First transport mode for child SAs was implemented, then a few interoperability issues have been identified with peers other than iked, now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. Feedback? OK? Index: iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 iked.conf.5 --- iked.conf.5 10 Jul 2020 21:23:47 -0000 1.71 +++ iked.conf.5 12 Jul 2020 14:32:00 -0000 @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 .Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A to peer D using FQDN-based public key +authentication. +.Ar transport +mode is used to avoid duplicate encapsulation of GRE; +.Ar dstid +is set explicitly to the peer's FQDN such that its public key is looked up even +if the peer does not send its FQDN as peer ID: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from A.example.com to D.example.com \e + peer D.example.com \e + dstid D.example.com +.Ed .Sh SEE ALSO .Xr enc 4 , .Xr ipsec 4 ,
