How-To : Vpn IKEv2 between a Windows 8 Road Warrior Host and an OpenBSD gateway

Considering the following network ...


Please, first read the man pages : IKED(8), IKED.CONF(5), PFCTL(8) and PF.CONF(5)

For newbies, OpenBSD FAQ, AFTERBOOT(8), RC.CONF(8), are useful

** IKED is not yet finished. **


:: The Gateway Part ::

hostname : vpn.domain.local

lan :

egress : static ip address provided by ISP : aa:bb:cc:dd

rl0 : group lan

rl1 : group egress


Sample to assign a network card(rl0) to a group "lan"

Edit the file /etc/hostname.rl0 and add this line :

!/sbin/ifconfig rl0 group lan


Install zip package for an easy export


export PKG_PATH=$(uname -m)/

pkg_add zip


Configure PF


Be sure that  "net.inet.ip.forwarding=1" # /etc/sysctl.conf

Or apply it on the fly : sysctl net.inet.ip.forwarding=1


/etc/pf.conf :



set skip on {lo,enc0}

match out on egress from lan:network to any nat-to egress

block log all

pass in on egress proto tcp from $admin to any port ssh

pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}

pass in on egress proto {ah,esp}

pass out on egress

pass on lan


We allow the host "ww.xx.yy.zz" to administrate the box using ssh (from the web)


Enable and load the rules

/sbin/pfctl -evf /etc/pf.conf


Get a custom ikeca.cnf to keep things as simply as possible


Get it here, and move it in /etc/ssl

or follow this :


cd /tmp


tar -C /usr/src -zxf src.tar.gz

cp /usr/src/usr.sbin/ikectl/ikeca.cnf /etc/ssl


Now, modify it at your convenience

Here a sample :


CERT_C                  = FR

CERT_ST                 = NA

CERT_L                  = REUNION

CERT_O                  = .aise

CERT_OU                 = VPN

CERT_CN                 =

CERT_EMAIL              =



Create certificates


/usr/sbin/ikectl ca vpn create # Common Name = Hostname

/usr/sbin/ikectl ca vpn install


/usr/sbin/ikectl ca vpn certificate create #SERVER, CN =

/usr/sbin/ikectl ca vpn certificate install


/usr/sbin/ikectl ca vpn certificate windows create #CLIENT, CN = Name it at your convenience

/usr/sbin/ikectl ca vpn certificate windows export


Copy the file on the win8 host.


Configure iked


/etc/iked.conf :


ikev2 passive esp \

from to local peer any \

srcid \

config address


You can start iked manually with : /sbin/iked


To have iked daemon at startup :

echo iked_flags= >> /etc/rc.conf.local


For testing purpose : /sbin/iked -dvv


View established connections :


# ipsecctl -sa


flow esp in from to peer w8.w8.w8.w8 srcid IPV4/ type use

flow esp out from to peer w8.w8.w8.w8 srcid IPV4/ type require

flow esp out from ::/0 to ::/0 type deny



esp tunnel from w8.w8.w8.w8 to spi 0x1704e5e0 auth hmac-sha1 enc aes-256

esp tunnel from to w8.w8.w8.w8 spi 0x55ace81c auth hmac-sha1 enc aes-256



:: Configure the win8 host ::

Windows 8 host : Dynamic Ip address provided by ISP (w8.w8.w8.w8)

IP address (ikev2) :


Import certificates


Use mmc / Certificates snap (computer account)/ import ca.pfx in "trusted root certification authorities"

Use mmc / Certificates snap (computer account)/ import windows.pfx in "Personal"


Create the VPN connection


IP (destination) :

Type ikev2 / NO EAP / Only Certificate (check it !)

Configure IPv4 to


Tested with Microsoft Windows 7 & 8

Enjoy! ;-)


Thank's to the mailling list

Especially : Mike Belopuhov and Pavel Shvagirev


© Copyright 2013

contact : wesley [at] mouedine [dot] net