[strongSwan-dev] multiple OU's
Banio
aau at mncarpenters.net
Wed Mar 19 17:35:52 CET 2014
I have a gateway setup with a ipsec.conf like this:
conn Servers_vpngateway2
left=%defaultroute
leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
leftfirewall=yes
leftsubnet=172.16.48.0/22
right=%any
rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2,
CN=*"
rightsourceip=172.16.52.0/24
auto=route
On this gateway I want to only allow those with a valid cert with
OU=Servers_vpngateway2. I have some servers that will also need to
connect to OU=Servers_vpngateway1, and in the future
OU=Servers_vpngateway3, etc and thus have multiple OU's.
Now if I connect with a client with a cert like this it works:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2,
CN=test.domain.com
If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1,
OU=Servers_vpngateway2, CN=test.domain.com
However if I change the ipsec.conf conn definition to the following it
does work:
conn Servers_vpngateway2
left=%defaultroute
leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
leftfirewall=yes
leftsubnet=172.16.48.0/22
right=%any
rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1,
OU=Servers_vpngateway2, CN=*"
rightsourceip=172.16.52.0/24
auto=route
If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2,
OU=Servers_vpngateway1, CN=test.domain.com
Likewise if I change the ipsec.conf conn definition to the following it
does work:
conn Servers_vpngateway2
left=%defaultroute
leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
leftfirewall=yes
leftsubnet=172.16.48.0/22
right=%any
rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2,
OU=Servers_vpngateway1, CN=*"
rightsourceip=172.16.52.0/24
auto=route
Is there a way to allow servers with valid certs and
OU=Servers_vpngateway2 and ignore all other (there may be one, two,
three, four, etc) OU's that is not writing conn definitions for all the
different combinations?
More information about the Dev
mailing list