Hi, the Subject Alternative Name of your certificate will be used as phase 2 IDs, ie. that's what is sent. If you want to use the Subject Canonical Name, you have to additionlly provide an isakmpd.policy file and you have to run isakmpd without the "-K" option. See isakpmd.policy(5).
On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote: > Hi all > > I'm setting up a OBSD 4.1 ipsec gateway, against which users will > authenticate using x509 certificates. They all use personal certificates > (key usage: digSig), which contains their user name and Email in the > subject. I need to authenticate them by the whole subject, but can't > seem to find out how. > > I can authenticate them (i.e. it works) if I just use the email address > from the certificate as a filter in ipsec.conf along the lines: > > ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain > dstid [EMAIL PROTECTED] > ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain > dstid [EMAIL PROTECTED] > > But what I need would look something like: > > ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain > dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" > ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain > dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" > > When I configure this, with all possible variations of quoting and > backslashes, isakmpd tells me in the log file: > > Jul 20 18:52:15 gate isakmpd[8707]: ipsec_validate_id_information: > dubious ID information accepted > Jul 20 18:52:15 gate isakmpd[8707]: ike_phase_1_recv_ID: received remote > ID other than expected /C=CH/CN=John > > Apropos the subjectAltName: openssl tells me about the certificate: > > [...] > X509v3 Subject Alternative Name: > email:[EMAIL PROTECTED] > [...] > > Is there a way to see what is getting sent? isakmpd does not seem to > like the spaces in the /CN, is there a way to quote this for him? > Is this possible at all? > > thx for any hint > > /markus
