From: sthen Date: Mon, 6 Mar 2023 13:57:45 +0000 (+0000) Subject: tweak examples/iked.conf bits a little further following comments by X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2e4eb7f849c6848d58f7a81c634440ad6cdf310f;p=openbsd tweak examples/iked.conf bits a little further following comments by aisha@ and Crystal Kolipe, ok aisha@ tobhe@ --- diff --git a/etc/examples/iked.conf b/etc/examples/iked.conf index 280c70393e0..d89cd190283 100644 --- a/etc/examples/iked.conf +++ b/etc/examples/iked.conf @@ -1,4 +1,4 @@ -# $OpenBSD: iked.conf,v 1.2 2023/03/01 22:45:25 sthen Exp $ +# $OpenBSD: iked.conf,v 1.3 2023/03/06 13:57:45 sthen Exp $ # # See iked.conf(5) for syntax and examples. @@ -8,7 +8,10 @@ # Configuration for clients connecting with EAP authentication # and sending all traffic over the IKEv2 tunnel. -# Remember to set up a PKI, see ikectl(8) for more information. +# +# EAP requires a server certificate; see ikectl(8) for more details +# on generating this with an iked-specific local CA. +# #ikev2 "eapclient" passive esp \ # from any to dynamic \ # local any peer any \ @@ -17,10 +20,16 @@ # config name-server 10.1.0.2 \ # tag "$name-$id" -# Configuration for a client authenticating with a pre-shared key. +# Configuration for a client authenticating with a pre-shared key, +# mostly useful for LAN-to-LAN tunnels between static IP endpoints. +# +# For iked->iked tunnels you can use a simple config using public +# keys instead - omit psk and copy /etc/iked/local.pub on each side to +# /etc/iked/pubkeys/ipv4/
on the other. +# #ikev2 esp \ # from 10.3.0.0/24 to 10.1.0.0/24 \ # from 10.5.0.0/24 to 10.1.0.0/24 \ # from 10.5.0.0/24 to 172.16.1.0/24 \ # local 192.168.1.1 peer 192.168.2.1 \ -# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA" +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA-replace-me"