This document will explain howto configure OpenBSD’s IPSec to authenticate via a Certificate Authority and x509 certificates. It is demonstrated with OpenBSD 4.1 and depends upon ipsecctl which first appeared in OpenBSD 3.8.

First you will need to place your CA certificate in /etc/isakmpd/ca.

  # ls -al /etc/isakmpd/ca
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:25 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3460 Jun  1 12:27 cacert.pem

 
Next you will to place your hosts certificate in /etc/isakmpd/certs.

  # ls -al /etc/isakmpd/certs
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:59 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3008 Jun  1 13:59 192.168.25.25.pem

 
This certificate should be processed with a subjectAltName extension field as described in the isakmpd man page.

  # setenv CERTIP 192.168.25.25
  # openssl x509 -req -days 365 -in 192.168.25.25.csr \
          -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
          -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
          -extensions x509v3_IPAddr -out 192.168.25.25.pem

 
When you view the resulting certificate, you should see similar results in the X509v3 extensions.

[...]
  X509v3 extensions:
      X509v3 Subject Alternative Name:
          IP Address:192.168.25.25
[...]

 
Here is an example ipsec.conf used with the above configuration to connect with a peer running ipsec-tools/racoon.

ike esp from 192.168.25.25 to 192.168.25.211 \\
   main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des

 
You should ensure that isakmpd is running with the -K argument.
You can add the following to /etc/rc.conf.local

isakmpd_flags="-K"
ipsec=YES

 
In older versions of OpenBSD the following needs to be added to /etc/rc.local
as the rc.conf variable ipsec does not exist.

ipsecctl -f /etc/ipsec.conf