/etc/examples/iked.conf tweaks:

- show a demo of a strong random string for psk, for some types of
configuration psk makes sense. the previous example hinted at.not
using it.

- change the EAP MSCHAPv2 example so that more than one client can
connect (previous used address config but with only a single address not
a pool), and use the newer keywords to show how to route all traffic
from dynamic-ip clients over the tunnel

ok tobhe@

diff --git a/etc/examples/iked.conf b/etc/examples/iked.conf
index 6c85966..280c703 100644 (file)
--- a/etc/examples/iked.conf
+++ b/etc/examples/iked.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
+# $OpenBSD: iked.conf,v 1.2 2023/03/01 22:45:25 sthen Exp $
 #
 # See iked.conf(5) for syntax and examples.
 
@@ -6,13 +6,14 @@
 #user "user1" "password123"
 #user "user2" "password456"
 
-# Configuration for clients connecting with EAP authentication.
+# Configuration for clients connecting with EAP authentication
+# and sending all traffic over the IKEv2 tunnel.
 # Remember to set up a PKI, see ikectl(8) for more information.
-#ikev2 "win7" passive esp \
-#      from 10.1.0.0/24 to 10.2.0.0/24 \
+#ikev2 "eapclient" passive esp \
+#      from any to dynamic \
 #      local any peer any \
 #      eap "mschap-v2" \
-#      config address 10.2.0.1 \
+#      config address 10.2.0.0/24 \
 #      config name-server 10.1.0.2 \
 #      tag "$name-$id"
 
@@ -22,4 +23,4 @@
 #      from 10.5.0.0/24 to 10.1.0.0/24 \
 #      from 10.5.0.0/24 to 172.16.1.0/24 \
 #      local 192.168.1.1 peer 192.168.2.1 \
-#      psk "you-should-not-use-psk-authentication!"
+#      psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"