Securing IPsec with keynote(5) and pf(4)

We can use isakmpd.policy(5) to limit what SAs a user can negotiate.

Keynote-Version: 2
Authorizer: "POLICY"
Licensees: "DN:/C=CA/ST=AB/L=Calgary/O=OpenBSD/CN=Example CA"
Conditions: app_domain == "IPsec policy" &&
    esp_present == "yes" &&
    esp_enc_alg != "null" &&
    (
        (
            remote_id_type == "UFQDN" &&
            remote_id == "msf@openbsd.org"
        ) && (
            local_filter == "010.000.001.000-010.000.001.255" ||
            local_filter == "010.000.002.000-010.000.002.255"
        )
    ) -> "true";