Hi, I hope someone on-list can give me a few helpful pointers in the right direction.
I've setup certs as per "X509 AUTHENTICATION" section of the isakmpd man page. However it is a bit unclear as to what I need to put in ipsec.conf to make this work. I've tried a bit of Google trawling, however the examples I come up with seem to relate to older OpenBSD implementations where hacking of isakmpd.conf was part of the process, even for psk (e.g. back in the late 3.x days). I've setup a FQDN cert and have tried changing the config as below : #ROAD WARRIOR ike passive from 10.1.2.3 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid certificate.fqdn.name.here \ tag RoadRunner However I've got a feeling I've probably missed a whole lot of config somewhere ! If anyone has some working examples that would be fantastic, otherwise a few pointers in the right direction would be just fine. Thanks !
