Hi Stu, On Sun, Dec 04, 2011 at 11:24:24AM +0000, Stuart Henderson wrote: > I don't see any code changes that would result in a different presentation > order of certificates between 4.8 and 5.0.. > > tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might > logs from the 3rd party and maybe isakmpd, though I'll be the first to admit > isakmpd logging is pretty impenetrable; I find setting this on the command > line gives a fairly good balance of information:
thank you for your statement. Currently, the problem looks as follows: If isakmpd is configured to use [X509-Certificates] Private-key-directory= /etc/isakmpd/private the documentation suggests that it will select one out of a set of keys to use, depending on the actual configuration of the connections. This does not seem to work with road warrior connections (= Passive-Connections). In that case, the road warrior seems to get no certificate, then decides that it's unsafe to connect to the gateway. The desired behaviour is to ship the certificate which is appropriate for this connection (it's configured as the local-id for those connections, so...). Specifying "Private-key = somefile.key" fixes this problem, but removes the option to use several keys, which is bad. There's another unresolved issue in this area, which I don't yet have enough data to fathom. Kind regards, --Toni++
