[strongSwan-dev] multiple OU's

Banio aau at mncarpenters.net
Wed Mar 19 17:35:52 CET 2014 

I have a gateway setup with a ipsec.conf like this:

conn Servers_vpngateway2
     left=%defaultroute
     leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
     leftfirewall=yes
     leftsubnet=172.16.48.0/22
     right=%any
     rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
CN=*"
     rightsourceip=172.16.52.0/24
     auto=route

On this gateway I want to only allow those with a valid cert with 
OU=Servers_vpngateway2.  I have some servers that will also need to 
connect to  OU=Servers_vpngateway1, and in the future 
OU=Servers_vpngateway3, etc and thus have multiple OU's.

Now if I connect with a client with a cert like this it works:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
CN=test.domain.com

If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1, 
OU=Servers_vpngateway2, CN=test.domain.com

However if I change the ipsec.conf conn definition to the following it 
does work:

conn Servers_vpngateway2
     left=%defaultroute
     leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
     leftfirewall=yes
     leftsubnet=172.16.48.0/22
     right=%any
     rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1, 
OU=Servers_vpngateway2, CN=*"
     rightsourceip=172.16.52.0/24
     auto=route

If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
OU=Servers_vpngateway1, CN=test.domain.com


Likewise if I change the ipsec.conf conn definition to the following it 
does work:

conn Servers_vpngateway2
     left=%defaultroute
     leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
     leftfirewall=yes
     leftsubnet=172.16.48.0/22
     right=%any
     rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
OU=Servers_vpngateway1, CN=*"
     rightsourceip=172.16.52.0/24
     auto=route

Is there a way to allow servers with valid certs and 
OU=Servers_vpngateway2 and ignore all other (there may be one, two, 
three, four, etc) OU's that is not writing conn definitions for all the 
different combinations?

More information about the Dev mailing list