I have created certificates in accordance to isakmpd man page:
# env CERTIP=10.0.0.1 openssl x509 -req \
-days 365 -in 10.0.0.1.csr \
-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
-CAcreateserial -extfile /etc/ssl/x509v3.cnf \
-extensions x509v3_IPAddr -out 10.0.0.1.crt
But in certificate there is no 10.0.0.1 IP addr, instead there is:
openssl x509 -in /etc/isakmpd/certs/10.0.0.1.crt -text
.....something.....
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:0.0.0.0
....somethnig else....
So, 10.0.0.1 defined as: env CERTIP=10.0.0.1 is not here. That is,
because in /etc/ssl/x509v3.cnf is defined 0.0.0.0:
# default settings
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign,cRLSign
EXTCERTUSAGE = serverAuth,clientAuth
CERTIP = 0.0.0.0
CERTFQDN = nohost.nodomain
Value of CERTIP in x509v3 is important. We can change value in
/etc/ssl/x509v3.cnf and put CERTIP = 10.0.0.1 (ie our IP addr)
But then, procedure mentioned in man pages is not correct.
