First of all I'd like to say I'm a recent convert from Linux so please
be kind to the newb :).
I've read through the documentation and got my install of OpenBSD
working as I would like but there is one thing that I am not sure about.
According to the man page for isakmpd there are 4 types of
authentication that one can use. Shared passphrase, public keys, X.509
certificates and keynote authentication.
Both shared passphrase and keynote authentication are not really options
for security and compatibility reasons. So that leaves public keys and
X.509 certificates. Of those 2 I think X.509 certificates would be the
best option for my deployment.
The question is the man page says that you need to create the keys using
the IP address of the peer or the host name of the peer. The problem is
that many of my peers have dynamic IP addresses and therefore won't know
their IP address ahead of time and they also do not have control over
their host name either (or won't know what it is). So what do I do in
this instance when it comes to generating the X.509 client certificate?
Can I use something like their email address in the certificates instead
of their IP address or host name?
This is probably a really stupid question but I'm reasonably new to the
whole X.509 certificate thing.
- Best way to allow public use of OpenBSD IPSec/L2TP VPN? Some Developer
-
