Hi again!
I need to authenticate users in isakmpd by the subject DN of their x509
certificates. For this, I wrote isakmpd.policy as follows:
KeyNote-Version: 2
Authenticator: "POLICY"
Licensees: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Conditions: app_domain == "IPsec policy" &&
doi == "ipsec" -> "true";
KeyNote-Version: 2
Authenticator: "DN:/C=CH/O=My Org/CN=My Org's CA Cert Subject"
Licensees: "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
Conditions: remote_id_type =="ASN1 DN" &&
remote_id == "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org" -> "true";
The accompanying ipsec.conf looks like:
ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain
I can now establish an IPSec connection with any certificate issued by
the CAs whose certificates lie in /etc/isakmpd/ca.
But the restrictions I put in isakmpd.policy do not seem to get
enforced, i.e. any certificate gets accepted, not only the configured
one (/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org). So either my
isakmpd.policy is wrong or it does not get evaluated.
Does anybody have a pointer on how to restrict access to just the
certificates I specify in isakmpd.policy?
thx /markus
Hans-Joerg Hoexer wrote:
Hi,
the Subject Alternative Name of your certificate will be used as phase 2
IDs, ie. that's what is sent. If you want to use the Subject Canonical
Name, you have to additionlly provide an isakmpd.policy file and you have
to run isakmpd without the "-K" option. See isakpmd.policy(5).