Hi all
I'm setting up a OBSD 4.1 ipsec gateway, against which users will
authenticate using x509 certificates. They all use personal certificates
(key usage: digSig), which contains their user name and Email in the
subject. I need to authenticate them by the whole subject, but can't
seem to find out how.
I can authenticate them (i.e. it works) if I just use the email address
from the certificate as a filter in ipsec.conf along the lines:
ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
dstid [EMAIL PROTECTED]
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain
dstid [EMAIL PROTECTED]
But what I need would look something like:
ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
When I configure this, with all possible variations of quoting and
backslashes, isakmpd tells me in the log file:
Jul 20 18:52:15 gate isakmpd[8707]: ipsec_validate_id_information:
dubious ID information accepted
Jul 20 18:52:15 gate isakmpd[8707]: ike_phase_1_recv_ID: received remote
ID other than expected /C=CH/CN=John
Apropos the subjectAltName: openssl tells me about the certificate:
[...]
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
[...]
Is there a way to see what is getting sent? isakmpd does not seem to
like the spaces in the /CN, is there a way to quote this for him?
Is this possible at all?
thx for any hint
/markus
