Hi all
I have an OBSD4.3 VPN gateway that authenticates users based on their
certificate and an isakmpd.policy, which works just fine. Now a user had
to renew his certificate: same CA, same CA certificate, same Subject DN,
same EVERYTHING. I'd have expected that he'd just need to close the VPN
tunnel, install the new certificate, authenticate again and that'd be
it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped
message from aaa.bbb.ccc.ddd port 500 due to notification type
INVALID_ID_INFORMATION
On one machine, I had to restart isakmpd to get it to accept the new
certificate, on the other one I can't because I connect to it through
the same VPN ... Obviously some part of the certificate gets cached
somewhere in memory (isakmpd? kernel?). Tearing down old SAs for the
user's IP (echo "t aaa.bbb.ccc.ddd" > /var/run/isakmpd.fifo) doen't help.
Is there any way (apart from bouncing isakmpd) to force (isakmpd?
kernel?) to forget the old and use the new certificate? On one occasion
I had to reboot a box ... which I consider a rather drastic measure for
the occasion of a user certificate renewal.
tx /markus
