Hi,
in my VPN setup, I want to authenticate sites to each other using X.509
certificates. In my "classic" isakmpd.conf, I have this:
[IPSEC-mobile-clients]
Phase= 2
Configuration= mobile-quick-mode
Local-ID= default-route
Remote-ID= dummy-remote
[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
In my isakmpd.policy, I delegate to the individual certs. This works ok
for my few dozen clients, but they have to have all the same
configuration (ie, the least common denominator "wins").
Since people recommend using ipsec.conf, I wanted to transform this
setup to using ipsec.conf. In my ipsec.conf, I have:
myip=1.2.3.4
ike passive esp tunnel from $myip to any \
main auth hmac-sha1 enc aes-256 group modp1536 \
quick auth hmac-sha1 enc aes-256 group modp1536 \
srcid $myip dstid [EMAIL PROTECTED]
This keeps isakmpd looking in
/etc/isakmpd/pubkeys//ufqdn/[EMAIL PROTECTED] for a public key
that I presumably have to create using keynote (right)?
In any case, I have the certificates in place that I want to use
instead, but they don't get touched, ever.
I'm testing this with 4.3 and a snapshot from August 25th on one
("gateway") side, and Linux+isakmpd on the other side, configured as a
road warrior, but "in production", this would also have to work with
existing counterparts of all kinds, most of them Windows boxen.
Any help is very much appreciated!
Kind regards,
--Toni++
