On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote:
I need to assign to each user a x509 cert and IP associated to this cert
As I haven't yet tried the ipsecctl and ipsec.conf tools, I cannot tell you whether they support IKECFG to hand out IP addresses based on certificates. The man page lists the 'any' keyword which seems promising, but I'd have to take a better look. As in previous releases, isakmpd does, of course, support IKECFG. I employ both a Flags=IKECFG in the ISAKMP-peer section and later on an IKECFG-ID stanza. Using the isakmpd.policy, connection attempts using certificates are validated. I have several gateways using isakmpd that deal out IP addresses to users based on their certs. These work fine for me, although configuring isakmpd for these purposes doesn't scale too well. I create those bits of my configuration through a script.
customized pf rules for every user based on this certs and IPs .
To my knowledge, pf doesn't deal with the certs. It just deals with IP addresses on the enc0 device and the filter rules assigned to those addresses.
And also, xauth is implemented??
IIRC, isakmpd does not implement xauth. If I'm mistaken on this point, feel free to correct me. I wouldn't mind having xauth support (e.g. to authenticate against RADIUS), but so far certificates work well enough for my purposes. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
