Hello & thanx for the swift reply Now i've read through the isakmpd.conf and keynote manpages, but, honestly, I still don't know how to get this working.
Here's the isakmpd.conf I came up with: KeyNote-Version: 2 Authenticator: "POLICY" Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" Conditions: app_domain == "IPsec policy" && doi == "ipsec" -> "true"; KeyNote-Version: 2 Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" Conditions: remote_id_type =="ASN1 DN" && remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true"; The last assertion is to be repeated for every allowed client with the according subject. Additionally, I removed the reference to the client in ipsec.conf: ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain But still, no joy. Just to make sure that I don't head off in the wrong direction: Is this basically how it's supposed to work? And could I additionally still use the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the packets from each user-session and have user-based rules in pf.conf. thx /markus Hans-Joerg Hoexer wrote: > Hi, > > the Subject Alternative Name of your certificate will be used as phase 2 > IDs, ie. that's what is sent. If you want to use the Subject Canonical > Name, you have to additionlly provide an isakmpd.policy file and you have > to run isakmpd without the "-K" option. See isakpmd.policy(5). > > On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: >> Hi all >> >> I'm setting up a OBSD 4.1 ipsec gateway, against which users will >> authenticate using x509 certificates. They all use personal certificates >> (key usage: digSig), which contains their user name and Email in the >> subject. I need to authenticate them by the whole subject, but can't >> seem to find out how.
