Hi, in my VPN setup, I want to authenticate sites to each other using X.509 certificates. In my "classic" isakmpd.conf, I have this:
[IPSEC-mobile-clients] Phase= 2 Configuration= mobile-quick-mode Local-ID= default-route Remote-ID= dummy-remote [default-route] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [dummy-remote] ID-type= IPV4_ADDR Address= 0.0.0.0 In my isakmpd.policy, I delegate to the individual certs. This works ok for my few dozen clients, but they have to have all the same configuration (ie, the least common denominator "wins"). Since people recommend using ipsec.conf, I wanted to transform this setup to using ipsec.conf. In my ipsec.conf, I have: myip=1.2.3.4 ike passive esp tunnel from $myip to any \ main auth hmac-sha1 enc aes-256 group modp1536 \ quick auth hmac-sha1 enc aes-256 group modp1536 \ srcid $myip dstid [EMAIL PROTECTED] This keeps isakmpd looking in /etc/isakmpd/pubkeys//ufqdn/[EMAIL PROTECTED] for a public key that I presumably have to create using keynote (right)? In any case, I have the certificates in place that I want to use instead, but they don't get touched, ever. I'm testing this with 4.3 and a snapshot from August 25th on one ("gateway") side, and Linux+isakmpd on the other side, configured as a road warrior, but "in production", this would also have to work with existing counterparts of all kinds, most of them Windows boxen. Any help is very much appreciated! Kind regards, --Toni++