Hi,
I'm trying to get a VPN running that uses X.509 certificates for
authentication. I have such beasts running with one CA with no problem:
CA1 -> server cert
CA1 -> clients certs
works w/o any problems. Now I want to have
CA1 -> server cert
CA2 -> clients certs
with CA1 distinctly different from CA2. On the client I get an error
because it seems to be unable to get the CA certificate for CA2
(referenced in the PKS#12 file that has the client cert).
Experimentation shows that after handling out the initial proposal, the
client exchanges some more packets with the server, apparently
requesting the CA cert for its own certificate, but doesn't get it
although the server has it (in /etc/isakmpd/ca). On server startup, it
also shows that it reads both CA certificates.
This is on OpenBSD 4.1 and with a huge and complex
isakmpd.{conf,policy} (making it not so easy to switch to ipsec.conf).
An upgrade to 4.2 could be possible if that would solve the problem.
Any ideas about what that could be, or how to cope with it?
TIA!
Best,
--Toni++
