I'm trying to get IPsec set up in transport mode using isakmpd, between
OpenBSD 6.0, Windows 2008R2+, and i5/OS 7.1. I've already gotten
everything working using PSK, but I'd like to use certificates.
I've created a certificate from our CA for each machine. I've put the
CA root chain in /etc/isakmpd/ca, the local machine's private key in
private/local.key, the local machine's cert in certs/[ip addr].crt, and
the remote machine's cert in certs/[ip addr].crt. The certificates have
a subject of CN=hostname.domain.com, and a SAN with
DNS=hostname.domain.com, DNS=[ip addr], IP=[ip addr].
I'm thinking that I'm just putting the certs in the wrong place. I've
run isakmpd with -D A=99, which is confusing because it appears to still
be looking in /etc/isakmpd/keynote despite using -K.
Has anyone else used isakmpd with certificates signed by a non-dedicated
CA, or see anything I'm likely doing wrong here? Thanks.
Current uncommented lines in ipsec.conf:
ike esp transport from a.b.c.d to d.b.c.a \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none
ike esp transport from d.b.c.a to a.b.c.d \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none
