It is extremely unwise to use DNS names at this level (or things which look like DNS names). The same problems that pf has with DNS, are present here. You really don't want people to get into this habit.
Klemens Nanni <[email protected]> wrote: > Here's an addition to EXAMPLES for one of my frequent use cases that > finally "just works". > > First transport mode for child SAs was implemented, then a few > interoperability issues have been identified with peers other than iked, > now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. > > Feedback? OK? > > Index: iked.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.71 > diff -u -p -r1.71 iked.conf.5 > --- iked.conf.5 10 Jul 2020 21:23:47 -0000 1.71 > +++ iked.conf.5 12 Jul 2020 14:32:00 -0000 > @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID: > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
