Hi, I'm trying to setup an isakmpd VPN using x509 keys between two OpenBSD 3.8 boxes.
To start with, I followed the instructions at http://www.openbsdsupport.org/vpn-ipsec.html to setup an initial VPN using pre-shared secrets. This works fine. Now, I want to switch over to x509 keys. Googling for this next step points me in various directions, which ultimately lead me back to http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8 ;-) I create my CA, which gives me a .crt and a .key. The .key I keep very safe, and the .crt I put in /etc/isakmpd/ca/ on all the peers. So far, so good. Then I create CSR/KEYs for the peers & get the CSR signed by the CA to give me a cert. This, in theory, I understand. However: 1) The man page for isakmpd says "The CSRs are signed with a pre-generated private key. By default, the system startup script rc(8) generates a key-pair when starting..." Why ? Why are the peer CSRs signed with the pre-generated private key ? I would have thought that getting the CA to sign them would be OK. After all, if all the peers trust the CA, then any certificate signed by the CA should be trusted. What's wrong with my logic ? 2) Just to confirm... (Assume I have peer1 & peer2) I create a cert for peer1 and put it in /etc/isakmpd/certs/ on peer1. There is no need to copy it to peer2 (because the cert is signed by the CA, and the CA is trusted by both peers) Correct ? Thanks, GTG PS I didn't post a dmesg as I didn't think it was necessary..
