[strongSwan] Dynamic IP to VPS site-to-site

Eric Zhang debiansid at gmail.com
Fri Dec 26 01:45:08 CET 2014 

You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?

Sent from Mobile


> On 2014年12月26日, at 03:36, Noel Kuntze <noel at familie-kuntze.de> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Eric,
> 
> You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.
> Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=bar at baz.de" --san "bar at baz.de"
> 
> Then set the email address in the rightid on the server.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
>> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
>> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?
>> 
>> Sent from Mobile
>> 
>> 
>>> On 2014年12月24日, at 22:45, Zesen Qian <strongswan-users at riaqn.com> wrote:
>>> 
>>> Noel Kuntze <noel at familie-kuntze.de> writes:
>>> 
>>>> Hello Eric,
>>>> 
>>>> See [1] for authentication using X509 certificates and site-to-site tunnels.
>>>> 
>>>> [1] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>>>> 
>>>> Mit freundlichen Grüßen/Regards,
>>>> Noel Kuntze
>>>> 
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>> 
>>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
>>>>> How can I use  RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Eric
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> Hello Noel,
>>>     I guess the question Eric want to ask is mainly about site-to-site
>>>     with "dynamic IP" on one side, while the other side has fixed IP.
>>>     I 'm also eager to know since it's my situation too. :) My IPv6
>>>     address is dynamic.
>>>     If I ommit the left= paramter, which defaults to %any, it
>>>     sometimes(and randomly) would use ::1 on local, which surely
>>>     won't success. Other times it would use the global address which
>>>     works just find.
>>> 
>>> --
>>> Zesen Qian (钱泽森)
>>> Undergraduate
>>> School of Software
>>> Shanghai Jiao Tong University
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUnGchAAoJEDg5KY9j7GZYqOwQAIaKV6xWLlgn/jVTXkh8PvBB
> Ms+WZLHtI6uZYR/9jXFf/eCtZNP+niuSGIjTnwcyOsUslG/RBi/IjhOP1dECaghx
> iPvopqDf/e8Nq1OY57hMQT/R1GzNxfwtzJYhDP+w8xkDshS2nWMZEj/kXDyVW2LS
> e6+PWPDqflPVp5RPXW8iPt8WL69ITyv+sTkuJvTNI35FRUN+N0hD4PGGUDbEISjr
> OTweAlwRkp1+4gRfkYI9ys5RRKkr4DPUF15FQ+ld12JqvAzH3QtKSKtmp1xbiUko
> 6m5C8TujSMz/Wn08CRB+na7vuixwHcxrcdvQJzuzBkLvaN7+qtvqz5fnvBMb1wNq
> pxbN9QUqGc5DpTW1s8+vNmd6usLcPMmB5iWte7Cf8Z5mKNZyyoqiiglvAuy36LU/
> HEi2P3dNgXXKcuhMZNBkh8We3/QQ5ZX0XeimDQlr92Fw1ctThcKJWYm/bp7KW+lI
> 1uGyFuv/sbNFYEn1NjQi4bkimImzsA6Fj4838MLSadINC/h89c67PPqEO68iVUjj
> 0cGzyTXyWawrNTazHGl6YemyGFFoiOA7lodToCxigfDplkFTRUplBm1aXdZ802bX
> tJNJoOiGcNMzfxq+mPU74c+jAcVhX/wGGgl1XYpL9hseMCHqoOKMQ4+KkzH/dRFo
> RAVGDbWjjg5RLwMVGfyu
> =2L6u
> -----END PGP SIGNATURE-----
> 
>

More information about the Users mailing list