s/isakmpd.conf/isakmpd.policy/g typo /m
Markus Wernig wrote: > Hello & thanx for the swift reply > > Now i've read through the isakmpd.conf and keynote manpages, but, > honestly, I still don't know how to get this working. > > Here's the isakmpd.conf I came up with: > > KeyNote-Version: 2 > Authenticator: "POLICY" > Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" > Conditions: app_domain == "IPsec policy" && > doi == "ipsec" -> "true"; > > KeyNote-Version: 2 > Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject" > Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" > Conditions: remote_id_type =="ASN1 DN" && > remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true"; > > The last assertion is to be repeated for every allowed client with the > according subject. > > Additionally, I removed the reference to the client in ipsec.conf: > > ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain > ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain > > But still, no joy. > > Just to make sure that I don't head off in the wrong direction: Is this > basically how it's supposed to work? And could I additionally still use > the dstid USER_FQDN in ipsec.conf? Because I'd very much like to tag the > packets from each user-session and have user-based rules in pf.conf. > > thx /markus > > Hans-Joerg Hoexer wrote: >> Hi, >> >> the Subject Alternative Name of your certificate will be used as phase 2 >> IDs, ie. that's what is sent. If you want to use the Subject Canonical >> Name, you have to additionlly provide an isakmpd.policy file and you have >> to run isakmpd without the "-K" option. See isakpmd.policy(5). >> >> On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: >>> Hi all >>> >>> I'm setting up a OBSD 4.1 ipsec gateway, against which users will >>> authenticate using x509 certificates. They all use personal certificates >>> (key usage: digSig), which contains their user name and Email in the >>> subject. I need to authenticate them by the whole subject, but can't >>> seem to find out how.
