Hello,
I'm trying to do roadwarrior VPN between OSX (mobile) and OpenBSD (gateway)
using certificates for peer identification. Is it possible to list a UFQDN as
a peer? When I try something like this on the gateway:
ike passive from any to any peer u...@host.tld \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-sha2-256 enc blowfish \
psk "super secret string"
ipsecctl complains of a syntax error.
If anyone has a link to an ipsec.conf that has an example of using UFQDNs to
identify peers I would be eternally grateful. It seems nearly every example
just uses PSK alone, or if a certificate is used it's by hostname.
PS If I place the trusted certificates in /etc/isakmp/pubkeys/ufqdn do they
absolutely have to have subjectAlternateName, or is having the email address
in the CN sufficient (CN=u...@host.tld/emailAddress=u...@host.tld)?
Any tips are immensely appreciated.
--
chort
