Hi Eric, On Fri, 13.03.2009 at 19:16:32 +0100, Eric Belhomme <eric.belho...@eve-team.com> wrote: > - copying my host private key on /etc/isakmpd/private/local.key > - copying my host public key on /etc/isakmpd/keynote/<my FQDN>/credentials
I was so far unable to get this keynote-credentials stuff working. Therefore I set up X.509 authentication like this: With the x509 cert consisting of the two parts cert.crt and cert.key, I place the cert.key file in /etc/isakmpd/private and the cert.crt file in /etcisakmpd/certs. The cert has to be issued by a CA a cert of which is present in /etc/isakmpd/ca, and the name of the files has to correspond to the value of the SubjectAlternativeName section, which I mention in my isakmpd.conf and isakmpd.policy files. > The thing I can't figure is HOW the x509 certificates are handled, > because I'm not sure I did the right things : On OpenBSD, you can watch the negotiation using this command (assuming that fxp0 is your Internet-facing NIC: # tcpdump -s1500 -vvv -ni fxp0 host <your_peer> and \( port 500 or port 4500 or esp \) Kind regards, --Toni++
