[flyvert]

My first post - my apologies for possibly not have found/read the appropriate users guide.

I'm in need of help with setting up x509 multi client targeting policies in a OpenBSD 6.3 box acting as VPN tunnel server.

I have read manual pages up and down and searched the web but found little help with how I can rig the isakmp.policy file to accept a larger set of individual client certificates created by a self-signed CA hosted on the tunnel server itself without having a unqiue Authorizer/Licensee clause for each client.

Currently, I have it working by declaring one credential set per client, but would like to know if I can use some wildcard, etc. syntax to accept all clients having a personal cert, but issued by a common CA.

Also, I may have run into a (possible?) bug where the isakmpd rejects a valid cert holder for which I have to restart the daemon to resume operation. I have seen this happen quite frequently as I am trying a combination of client certs with same Common Name, no email but a unique email passed as FQDN extension. User1 is accepted but User2 (same CN different FQDN:email) is rejected. If I restart User2 may connect (if first) while User1 (when second) is rejected.

Any recommendations or multi-cert examples are greatly appreciated.

Cheers
/f