This is an old revision of the document!
Add this to /etc/iked.conf:
user 'username' 'password' ikev2 'vpn.ircnow.org' passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 69.85.86.144 peer any \ srcid vpn.ircnow.org \ eap "mschap-v2" \ config address 10.0.5.0/24 \ config name-server 69.85.86.144 \ tag "ROADW"
Add this to /etc/pf.conf:
pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED pass in inet proto esp tag IKED pass on enc0 inet tagged ROADW match out on $ext_if inet tagged ROADW nat-to $ext_if match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53
(Note that in pf.conf, we had defined this earlier)
ext_if = “em0”
To reload the new pf ruleset:
$ doas pfctl -f /etc/pf.conf
# ikectl ca vpn create # ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl # ikectl ca vpn certificate server1.domain create # ikectl ca vpn certificate server1.domain install writing RSA key # cp /etc/iked/ca/ca.crt /var/www/htdocs/
To start iked,
$ doas rcctl enable iked $ doas rcctl set iked flags -6 $ doas rcctl start iked
To turn on debugging, replace the last step with:
$ doas iked -dv