DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2 Weeks Ago
flyvert flyvert is offline
New User
 
Join Date: Sep 2018
Posts: 1
Question Help with multi-targeting X509 isakmpd.policy

My first post - my apologies for possibly not have found/read the appropriate users guide.

I'm in need of help with setting up x509 multi client targeting policies in a OpenBSD 6.3 box acting as VPN tunnel server.

I have read manual pages up and down and searched the web but found little help with how I can rig the isakmp.policy file to accept a larger set of individual client certificates created by a self-signed CA hosted on the tunnel server itself without having a unqiue Authorizer/Licensee clause for each client.

Currently, I have it working by declaring one credential set per client, but would like to know if I can use some wildcard, etc. syntax to accept all clients having a personal cert, but issued by a common CA.

Also, I may have run into a (possible?) bug where the isakmpd rejects a valid cert holder for which I have to restart the daemon to resume operation. I have seen this happen quite frequently as I am trying a combination of client certs with same Common Name, no email but a unique email passed as FQDN extension. User1 is accepted but User2 (same CN different FQDN:email) is rejected. If I restart User2 may connect (if first) while User1 (when second) is rejected.

Any recommendations or multi-cert examples are greatly appreciated.

Cheers
/f
Reply With Quote
Reply

Tags
isakmpd.policy x509 fqdn email

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec set up with isakmpd mikygee OpenBSD Security 3 29th December 2015 06:29 PM
PC-BSD targeting rolling release shep News 0 5th February 2013 02:06 AM
ipsec, x509 and more than one interface igy01 OpenBSD Security 5 30th August 2012 09:36 PM
Altq on multi wan and multi zone environment apsaras OpenBSD Security 0 26th May 2012 11:19 PM
ipsec/isakmpd tunnels dropping after upgrade kbeaucha OpenBSD Installation and Upgrading 9 8th May 2012 08:27 PM


All times are GMT. The time now is 11:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick