<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
On 03/19/2018 10:45 AM, Tobias Brunner wrote:<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<pre wrap="">Hi,
</pre>
<blockquote type="cite">
<pre wrap="">I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is known outside as quantum-equities.com and the IPSec gateway is known in the LAN as cygnus.darkmatter.org.
</pre>
</blockquote>
<pre wrap="">
That syntax is not valid. Just use --san multiple times for each SAN
(as the man page for pki --issue indicates).</pre>
</blockquote>
Thanks, I'll redo the certs again.<br>
<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<blockquote type="cite">
<pre wrap="">I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.
</pre>
</blockquote>
<pre wrap="">
That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
proper RDN) and strongSwan's DN string parser does not support
multi-value RDNs.</pre>
</blockquote>
It sounds like I can't use multiple --dn's. When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org) and
outside (as quantum-equities.com), how can it prove that it's the
right machine if not DNS resolvable by checking CN=? <br>
<br>
And how does the phone prove it is who it is in the Android app when
its IP changes and is not resolvable? The responder has to take its
word for it since it has the private key? If so, why is --san and
--dn required?<br>
<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<blockquote type="cite">
<pre wrap=""># swanctl -L
# swanctl -l
(no response, for some reason)
</pre>
</blockquote>
<pre wrap="">
Yes, and that reason is: No config has been loaded. Did you run
swanctl --load-conns (-c) or --load-all (-q)?</pre>
</blockquote>
I haven't mentioned this, but I'm running CentOS7 which handles this
in systemd:<br>
ExecStart=/usr/sbin/charon-systemd<br>
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt<br>
<br>
... and yet I still have nothing with <br>
<pre wrap=""># swanctl -L
# swanctl -l
Maybe this is the core of my problem with this horrid "<i>NO_PROPOSAL_CHOSEN</i>" in swanctl. That for some reason configs are not getting loaded?
No idea how to chase this down.
</pre>
</body>
</html>