Hi ! By reading carefully isakmpd(8), isakmpd.conf(5) and isakmpd.policy(5) but I don't fully understand how to setup correctly isakmpd to work with X509 certificates.
In isakmpd(8), it is said that client certificates must be put in /etc/isakmpd/certs. Why would isakmpd need those certificates ? I think the CA should be sufficient to check that the certificate presented by the other peer is correct. Here is how I would setup isakmpd with x509 certificates : - Put the CA in /etc/isakmpd/ca/. - Modify /etc/isakmpd/isakmpd.policy with the DN of the CA in Licensee field: this way, only certificates signed by the CA would be accepted. - Modify /etc/isakmpd/isakmpd.conf to use ID instead of Authentication. Remote IP is left blank for phase 1. Remote ID is left blank for phase 2 : AltSubjectName from the certificate will be used instead. Is it correct ? Moreover, I am not sure that I have really understood what purpose AltSubjectName serves in the certificate. From what I think, this is the IP (or the FQDN) that will be used by the remote end of the IPsec tunnel. With such a setup, I should be able to have as many client as I want without copying their certs in /etc/isakmpd/certs and without altering /etc/isakmpd/isakmpd.conf to add them. Right ? If someone has a working setup of a VPN gateway that authenticates roadwarrior clients with x509 certificates without need to add each of them in /etc/isakmpd/isakmpd.conf, I would be happy to see the configuration files. -- printk("Illegal format on cdrom. Pester manufacturer.\n"); 2.2.16 /usr/src/linux/fs/isofs/inode.c