2011/4/15 Reyk Floeter <r...@openbsd.org>: > Short answer: Yes, it works.
Yes, it does. But... > See also: > http://www.allard.nu/openbsd/maillist/archive/200608/1331.html See also: http://old.nabble.com/isakmpd---get-CRLs-to-work-td30629580.html That basically means if you're using X.509 PKI and someone compromises one of your certificates, simple revocation (and updating the CRLs properly) won't work - the kicked client can just reconnect back. I've tested that once again on 4.8-release and even when both isakmpds load the newest CRL, the revoked client is allowed in anyway, creates flows and happily communicates. That patch raises a lot of XXXs because I simply needed a quick fix and don't really much understand the way that part of isakmpd is written. But none of the developers seemed to care about this so far, so I guess nobody uses it anyway :-) So, if your client is just one bank, use RSA keys. It's also easier to configure. But I think people with lots of clients should be aware of this bug (or does the revocation actually work for anyone?) > Note that iked(8) doesn't support this type of configuration yet. B It > does understand the acquire/require messages from the kernel but > currently requires to have an active flow from an initial IKEv2 > handshake. B It is on our TODO list ;-). iked(8) and certificate revocation work just fine. -- Martin Pelikan
