I'm looking to setup a VPN system linking OpenBSD, Cisco & Linux. I've got the OpenBSD/Linux interrop working in the lab with X509 certs (Haven't started on the Cisco side yet)
I'd like to clarify the difference between Host Keys & X509 Certs. As I understand it, using Host Keys, the "client" generates a key pair and sends it's public key to the "server". From what I can see, this would be OK if you using a central server that all clients would talk through. Using X509 certs, the "client" generates a cert, which gets signed by the CA. All devices have copies of the CA cert, and nothing needs to be copied around between any of the devices. This appears to be best when you are looking to setup a mesh VPN network. Have I understood things correctly ? Any gotchas that I've missed ? Thanks, GTG
