On 2009-04-27, Edvard Fagerholm <[email protected]> wrote: > 1. Clients are either OS X or Windows connecting from arbitrary IPs > and hostnames and sometimes behind NAT connections. > > 2. OpenBSD 4.4 server. > > I have certificates created and signed by our CA with the e-mail > address used as the UFQDN in the subjectAltName field. Similarly I > have a certificate for the firewall with its IP address in the > subjectAltName. > > The internal network is the subnet 192.168.0/24 and I would like to > have addresses in the 192.168.1/24 range assigned to the VPN > connections. I was wondering how this would be done with ipsec.conf? I > have previously configured a similar setup using isakmpd.conf, but the > examples for ipsec.conf only seem to address cases where both ends > have hostnames or IP addresses that are known. In this case I don't > have any idea of the client (except the cert).
you can use "to any" to do this, but you also need a keynote policy to restrict the addresses users are allowed to ask for (otherwise you can be in for a whole bunch of fun if somebody enters a bad address).
