ipsecadm + isakmpd

[uid0-33_(_at_)_catastrophe_(_dot_)_net]

I've been working on getting x509 authentication working between two
obsd boxes (one is a road warrior). I've checked the archives, etc..
Nothing seems to be relevant.

Anywho - here's a question. Why is it that I get the following...

  # ipsecadm flow -addr 0.0.0.0/0 192.168.145.128/29 -in -require
  # echo $?
  0
  # ipsecadm flow -addr 192.168.145.128/29 0.0.0.0/0 -out -aquire
  ipsecadm: Unknown, invalid, or duplicated option: -aquire
  # echo $?
  1

Strange. Maybe I've used to 3.1 behavior (?).

Anyways - I've tried to configure it using "-use" instead of
"-require" or "-aquire" and that seems to work (i.e. no errors
generated by the commands).

Still, I've yet to get an ESP tunnel up. So my question is: is the
x509 authentication, that presumably happens between the road warrior
and gateway hosts' isakmp daemons, happening over ESP or just over
500/udp?

On the client, I've configured the following...

  # ipsecadm flow -addr 0.0.0.0/0 192.168.145.128/29 -out \
    -require -dst 192.168.145.129   # Gateway's IP
  # ipsecadm flow -addr 192.168.145.128/29 0.0.0.0/0 -in \
    -require -dst 192.168.145.129

I guess I'm still kinda trying to figure out how the tunnels are built
(on demand from the first packet going towards that network or
automatically once isakmpd is started on the road warrior side.

Thanks for any help - email me offline if this deserves to be there.
This is all going into a comprehensive document that I will make
public in hopes to get a step-by-step guide up for connecting various
OS's to isakmpd on openbsd.

-#0