Hi !
By reading carefully isakmpd(8), isakmpd.conf(5) and isakmpd.policy(5)
but I don't fully understand how to setup correctly isakmpd to work
with X509 certificates.
In isakmpd(8), it is said that client certificates must be put in
/etc/isakmpd/certs. Why would isakmpd need those certificates ? I
think the CA should be sufficient to check that the certificate
presented by the other peer is correct.
Here is how I would setup isakmpd with x509 certificates :
- Put the CA in /etc/isakmpd/ca/.
- Modify /etc/isakmpd/isakmpd.policy with the DN of the CA in
Licensee field: this way, only certificates signed by the CA would
be accepted.
- Modify /etc/isakmpd/isakmpd.conf to use ID instead of
Authentication. Remote IP is left blank for phase 1. Remote ID is
left blank for phase 2 : AltSubjectName from the certificate will
be used instead.
Is it correct ?
Moreover, I am not sure that I have really understood what purpose
AltSubjectName serves in the certificate. From what I think, this is
the IP (or the FQDN) that will be used by the remote end of the IPsec
tunnel.
With such a setup, I should be able to have as many client as I want
without copying their certs in /etc/isakmpd/certs and without altering
/etc/isakmpd/isakmpd.conf to add them. Right ?
If someone has a working setup of a VPN gateway that authenticates
roadwarrior clients with x509 certificates without need to add each of
them in /etc/isakmpd/isakmpd.conf, I would be happy to see the
configuration files.
--
printk("Illegal format on cdrom. Pester manufacturer.\n");
2.2.16 /usr/src/linux/fs/isofs/inode.c
