On Wed, Apr 08, 2026 at 06:45:14PM +0300, Alex Mihajlov wrote: > Hello. > I have a wonderful OpenBSD server running iked, > which accepts VPN connections from the internet > with MSCHAP-V2 authentication from various Windows-clients, > Linux, and Android. The client is given a ca.crt file, > login, password, and server address—and everything works fine. > > But I have an OpenBSD laptop that I also want > to connect to this iked server from, > and I don't understand how to do this. > The FAQ describes the OpenBSD client as a roadwarrior, > using RSA certificates, but it's unclear > how to configure iked as a client with MSCHAP-V2. > Configuring two policies that accept all connections > from the internet and authenticate either via > RSA or MSCHAP-V2 also seems impossible. > > What's the correct way to do this in my case? >
We don't support mschapv2 as a client. It really mostly exists for Windows client support since they don't offer much else. For every other client I would recommend using public key authentication or PSK if you trust all clients. Certs are also an option but the initial configuration is a little more complicated.
