Hi, On Tue, 03.10.2006 at 13:25:50 +0200, Joachim Schipper <[EMAIL PROTECTED]> wrote: > If those are just standard OpenSSL-style x509 certificates, you can > generate them whereever you want, and they will work just fine.
I routinely generate such certificates on Linux with OpenSSL and deploy on OpenBSD for use with isakmpd. Last I looked, the "SubjectAltName" part was mandatory for this kind of usage. > 4.0 has a lot of improvements, and ISTR that some of those are > necessary to use ipsec.conf with clients that change IP adresses. Do you mind going into details? I'm so far using the classical isakmpd.{conf,policy} thingy to authenticate eg. roaming users with their certificates. Best, --Toni++