Hello Stuart,
> On 2008/04/27 14:18, Marten Rizwan wrote:
> > Hello ports@,
>
> this isn't exactly ports@ material...CC'd/reply-to set to misc.
>
apologize for sending this to ports@, my mistake.
> > I'm a happy user of sane OpenBSD IPsec. There is one thing that
> I haven't been able to figure out yet though. I want to simultaneously
> connect to two IPsec servers, both of which are OpenBSD boxes and
> both of them use X509 certificates. These two servers are managed
> by different administrators and are absolutely unrelated. Hence,
> their X509 certs are created with different CAs. In both cases, I
> haven't been given opportunity to provide my own CSR for them to
> generate my certificate. Hence, I'm given two pair of keys/certs
> for each server. Basically, the two CSRs are signed using two
> different private keys. What this means to me is that I need to
> have two separate /etc/isakmpd/priavte/local.key for each server.
> I believe that /etc/isakmpd/priavte/local.key is glued in isakmpd
> and I have no way of specifying a separate local.key for each server
> I'm connecting to. Am I missing something? By the way, I obviously
> use ipsecctl(8) to configure IPsec.
> > Thanks in advance.
> >
>
> I haven't tried this, and it's not in the manual as far as I can
> see, but it looks like isakmpd looks in files named after the
> identity of the local peer (i.e. srcid) before it tries local.key.
> If you get it working, let me know the details and I'll try and
> come up with something for the manual...
Great idea, I just systraced isakmpd and it does look for srcid of the local
peer, which in my case is FQDN.
Notice that if your FQDN is for example level1.blah.org, the key should be
placed as "/etc/isakmpd/private/level1.blah.org" *without* .key extension.
here is the relevant part from systrace:
native-fsread: filename eq "/etc/isakmpd/private/level1.blah.org" then
permit
native-fsread: filename eq "/etc/isakmpd/private/local.key" then permit
