Hi, On Tue, 13.04.2010 at 17:42:52 +0200, Toni Mueller <openbsd-t...@oeko.net> wrote: > Authorizer: "mobile-certs" > Comment: need to list all certificates for mobile users in the licensees > section > Licensees: "DN:/Cert/Of/User1" || > "DN:/Cert/Of/User2" > Conditions: app_domain == "IPsec policy" > && esp_present == "yes" > && esp_enc_alg == "aes" > && phase_1 == "main" > && phase1_group_desc == "5" > && esp_encapsulation == "tunnel" > && esp_auth_alg == "hmac-sha" > && ( esp_key_length == "256" || esp_key_length == "128" ) > && remote_filter_type == "IPv4 address" > && remote_filter == "192.168.003.000-192.168.003.255" > && remote_filter_addr_lower == "192.168.003.000" > && remote_filter_addr_upper == "192.168.003.255" > && pfs == "yes" > && remote_id_type == "User FQDN" > && ( remote_id == "us...@example.com" || remote_id == > "us...@example.com" ) -> "true";
I've now made sure to retry with "IPv4 subnet" instead of "IPv4 address", but with exactly the same result. Isakmpd logs the following, which I have to find out whether this is generated somewhere within isakmpd, or sent by the client: ... @400000004bc5aacc2ce2c2c4 134506.752860 Plcy 80 remote_filter_type == IPv4 subnet @400000004bc5aacc2ce2da34 134506.752864 Plcy 80 remote_filter_addr_upper == 255.255.255.255 @400000004bc5aacc2ce30cfc 134506.752870 Plcy 80 remote_filter_addr_lower == 000.000.000.000 @400000004bc5aacc2ce3340c 134506.752882 Plcy 80 remote_filter == 000.000.000.000-255.255.255.255 @400000004bc5aacc2ce343ac 134506.752888 Plcy 80 remote_filter_port == 0 @400000004bc5aacc2ce37a5c 134506.752894 Plcy 80 remote_filter_proto == 0 @400000004bc5aacc2ce3ad24 134506.752904 Plcy 80 local_filter_type == IPv4 subnet @400000004bc5aacc2ce3cc64 134506.752914 Plcy 80 local_filter_addr_upper == 255.255.255.255 @400000004bc5aacc2ce3eba4 134506.752921 Plcy 80 local_filter_addr_lower == 000.000.000.000 @400000004bc5aacc2ce3fb44 134506.752933 Plcy 80 local_filter == 000.000.000.000-255.255.255.255 @400000004bc5aacc2ce40ecc 134506.752942 Plcy 80 local_filter_port == 0 @400000004bc5aacc2ce44d4c 134506.752949 Plcy 80 local_filter_proto == 0 @400000004bc5aacc2ce4745c 134506.752972 Plcy 80 remote_id_type == User FQDN @400000004bc5aacc2ce48bcc 134506.752980 Plcy 80 remote_id_addr_upper == @400000004bc5aacc2ce4c664 134506.752989 Plcy 80 remote_id_addr_lower == @400000004bc5aacc2ce4d9ec 134506.752995 Plcy 80 remote_id == us...@example.com @400000004bc5aacc2ce51484 134506.753003 Plcy 80 remote_id_port == 0 @400000004bc5aacc2ce53f7c 134506.753022 Plcy 80 remote_id_proto == 0 @400000004bc5aacc2ce54f1c 134506.753028 Plcy 80 remote_negotiation_address == 088.128.046.032 @400000004bc5aacc2ce5c44c 134506.753038 Plcy 80 local_negotiation_address == 193.221.127.062 @400000004bc5aacc2ce5d3ec 134506.753044 Plcy 80 pfs == yes @400000004bc5aacc2ce6397c 134506.753053 Plcy 80 initiator == no @400000004bc5aacc2ce66474 134506.753057 Plcy 80 phase1_group_desc == 5 @400000004bc5aacc2ce677fc 134506.753155 Plcy 40 check_policy: kn_do_query returned 1 Stay tuned for another hack... :/ -- Kind regards, --Toni++
