Hi, I'm trying to get a VPN running that uses X.509 certificates for authentication. I have such beasts running with one CA with no problem:
CA1 -> server cert CA1 -> clients certs works w/o any problems. Now I want to have CA1 -> server cert CA2 -> clients certs with CA1 distinctly different from CA2. On the client I get an error because it seems to be unable to get the CA certificate for CA2 (referenced in the PKS#12 file that has the client cert). Experimentation shows that after handling out the initial proposal, the client exchanges some more packets with the server, apparently requesting the CA cert for its own certificate, but doesn't get it although the server has it (in /etc/isakmpd/ca). On server startup, it also shows that it reads both CA certificates. This is on OpenBSD 4.1 and with a huge and complex isakmpd.{conf,policy} (making it not so easy to switch to ipsec.conf). An upgrade to 4.2 could be possible if that would solve the problem. Any ideas about what that could be, or how to cope with it? TIA! Best, --Toni++