add support to tag ipsec traffic belonging to specific IKE-initiated

phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

1 files changed, 5 insertions, 3 deletions

diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 7d017da260e..9395cdde77b 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_auth.c,v 1.108 2006/11/09 09:43:35 markus Exp $	 */
+/* $OpenBSD: ike_auth.c,v 1.109 2006/11/24 13:52:14 reyk Exp $	 */
 /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $	 */
 
 /*
@@ -910,12 +910,14 @@ rsa_sig_encode_hash(struct message *msg)
 			if (handler->cert_obtain(id, id_len, 0, &data,
 			    &datalen) == 0) {
 				LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: "
-				    "no certificate to send"));
+				    "no certificate to send for id %s",
+				    ipsec_id_string(id, id_len)));
 				goto skipcert;
 			}
 		} else {
 			LOG_DBG((LOG_MISC, 10,
-			    "rsa_sig_encode_hash: no certificate to send"));
+			    "rsa_sig_encode_hash: no certificate to send"
+			    " for id %s", ipsec_id_string(id, id_len)));
 			goto skipcert;
 		}
 	}