# $OpenBSD: iked.conf,v 1.3 2023/03/06 13:57:45 sthen Exp $
#
# See iked.conf(5) for syntax and examples.

# Configure users for the Extensible Authentication Protocol (EAP)
#user "user1" "password123"
#user "user2" "password456"

# Configuration for clients connecting with EAP authentication
# and sending all traffic over the IKEv2 tunnel.
#
# EAP requires a server certificate; see ikectl(8) for more details
# on generating this with an iked-specific local CA.
#
#ikev2 "eapclient" passive esp \
#	from any to dynamic \
#	local any peer any \
#	eap "mschap-v2" \
#	config address 10.2.0.0/24 \
#	config name-server 10.1.0.2 \
#	tag "$name-$id"

# Configuration for a client authenticating with a pre-shared key,
# mostly useful for LAN-to-LAN tunnels between static IP endpoints.
#
# For iked->iked tunnels you can use a simple config using public
# keys instead - omit psk and copy /etc/iked/local.pub on each side to
# /etc/iked/pubkeys/ipv4/<address> on the other.
#
#ikev2 esp \
#	from 10.3.0.0/24 to 10.1.0.0/24 \
#	from 10.5.0.0/24 to 10.1.0.0/24 \
#	from 10.5.0.0/24 to 172.16.1.0/24 \
#	local 192.168.1.1 peer 192.168.2.1 \
#	psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA-replace-me"