[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd AND NOT policy

To: "'tech@openbsd.org'" <tech@openbsd.org>
Subject: isakmpd AND NOT policy
From: Pepijn Vissers <vissers@fox-it.com>
Date: Wed, 3 Oct 2001 13:10:31 +0200

Hi list,

I'm getting the hang of configuring Isakmp... using CA-based 
x.509-certification using the DN of a certificate is not a problem. 
However... all the policies I have found up until now are based on 
letting users IN. I want them to stay OUT, based on their once-issued
certificate. Hence, I am trying to make a policy based on a logical
NOT instead of the default ||. Below is what I want and what i have 
accomplished. Ideas would be very welcome.

Regards,

------------- This works, and permits based on DN && CA
authorizer: "POLICY"
licensees:   "ca" && "grant"
Conditions:  app_domain == "IPsec policy";

authorizer: "ca"
licensees:  "DN:/C=NL/ST=Noord Holland/L=Amsterdam/"
conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true";

authorizer: "grant"
licensees:  "DN:/OU=Roaming users 002/"


------------- What I want ---------
authorizer: "POLICY"
licensees:   "ca" AND NOT "deny"
Conditions:  app_domain == "IPsec policy";

authorizer: "ca"
licensees:  "DN:/C=NL/ST=Noord Holland/L=Amsterdam/OU=ROOT_CA/"
conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true";

authorizer: "deny"
licensees:  "DN:/OU=Roaming user 002/"

---
Pepijn Vissers				

Forensic IT Consultant			t  	  015 - 21 21 907
Fox-IT Forensic IT Experts B.V	f  	  015 - 21 21 964
Oude Delft 47				e    vissers@fox-it.com
2611 BC  Delft				i  	   www.fox-it.com
D41F 3C13   3591 A2E1    E642 75CE   9CFA 276F    DDE6 10D6

Follow-Ups:
- Re: isakmpd AND NOT policy
  - From: Philipp Buehler <lists@fips.de>

Prev by Date: kernel compile error
Next by Date: Re: isakmpd AND NOT policy
Prev by thread: Re: pool_get must have NOWAIT panic
Next by thread: Re: isakmpd AND NOT policy
Index(es):
- Date
- Thread