> On May 7, 2017, at 2:10 PM, Steve Shockley <steve.shock...@shockley.net> > wrote: > > I'm trying to get IPsec set up in transport mode using isakmpd, between > OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1. I've already gotten everything > working using PSK, but I'd like to use certificates. > > I've created a certificate from our CA for each machine. I've put the CA > root chain in /etc/isakmpd/ca, the local machine's private key in > private/local.key, the local machine's cert in certs/[ip addr].crt, and the > remote machine's cert in certs/[ip addr].crt. The certificates have a > subject of CN=hostname.domain.com, and a SAN with DNS=hostname.domain.com, > DNS=[ip addr], IP=[ip addr]. > > I'm thinking that I'm just putting the certs in the wrong place. I've run > isakmpd with -D A=99, which is confusing because it appears to still be > looking in /etc/isakmpd/keynote despite using -K. > > Has anyone else used isakmpd with certificates signed by a non-dedicated CA, > or see anything I'm likely doing wrong here? Thanks. >
> Current uncommented lines in ipsec.conf: > ike esp transport from a.b.c.d to d.b.c.a \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none > ike esp transport from d.b.c.a to a.b.c.d \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none Steve, Have you tried using the DNS names in your ipsec.conf, and in the filenames in the /etc/isakmpd/certs directory? Generally, certificates are applied against the DNS name for servers, rather than the IP address. Maybe a bug in isakmpd or one of the other hosts that doesn't handle IP addresses in the SAN field correctly since it's such a rare usage? --Paul
smime.p7s
Description: S/MIME cryptographic signature
