This is an old revision of the document!
Add this to /etc/iked.conf (for IP 123.45.67.8):
user 'username' 'password'
ikev2 'vpn.ircnow.org' passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local 123.45.67.8 peer any \
srcid vpn.ircnow.org \
eap "mschap-v2" \
config address 10.0.5.0/24 \
config name-server 123.45.67.8 \
tag "ROADW"
Add this to /etc/pf.conf:
pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on $ext_if inet tagged ROADW nat-to $ext_if
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53
(Note that in pf.conf, we had defined this earlier)
ext_if = "em0"
To reload the new pf ruleset:
$ doas pfctl -f /etc/pf.conf
# ikectl ca vpn create # ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl # ikectl ca vpn certificate server1.domain create # ikectl ca vpn certificate server1.domain install writing RSA key # cp /etc/iked/ca/ca.crt /var/www/htdocs/
To start iked,
$ doas rcctl enable iked $ doas rcctl set iked flags -6 $ doas rcctl start iked
To turn on debugging, replace the last step with:
$ doas iked -dv