[strongSwan] the relationship about certificate and id

Brian Zhao - 赵宪鹏 Brian.Zhao at zyxel.cn
Wed Oct 13 10:48:44 CEST 2010 

Hi list,

I am very confuse about the relationship of id and certificate.

 

I have read the README, it is hard to understand.

“The ID by which a peer is identifying itself during IKE main mode can by any of

the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first

three ID types is used, then the accompanying X.509 certificate of the peer

must contain a matching subjectAltName field of the type ipAddress (IP:),

dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type

DER_ASN1_DN the identifier must completely match the subject field of the

peer's certificate.”

 

moonCert.pem have subjectAltName moon.com, and sun.crt have subjectAltName sun.com

when my configure file like this:

config setup

     plutodebug=control

     nat_traversal=yes

 

#start conn test

conn test

     left=172.25.24.55

     leftsubnet=192.168.3.0/24

     leftfirewall=yes

     right=172.25.24.86

     rightsubnet=192.168.1.0/24

     ikelifetime=86400s

     keylife=3600s

     ike=3des-md5-modp1024!

     esp=3des-md5!

     dpdaction=hold

     dpddelay=60

     dpdtimeout=300

     pfs=no

     leftcert=moonCert.pem

     rightcert=/etc/ipsec.d/cacerts/sun.crt

     authby=rsasig

     leftid=@moon.com  #here id is certificate’s subjectAltName

     rightid=@sun.com   #here id is certificate’s subjectAltName

     keyexchange=ikev1

     leftsourceip=192.168.3.1

     auto=start

#end conn test

Ipsec status will show 

    "test": 192.168.3.0/24===172.25.24.55[@moon.com]...172.25.24.86[@sun.com]===

192.168.1.0/24; erouted; eroute owner: #7

 

But when I change ipsec.conf to this:

 

config setup

     plutodebug=control

     nat_traversal=yes

 

#start conn test

conn test

     left=172.25.24.55

     leftsubnet=192.168.3.0/24

     leftfirewall=yes

     right=172.25.24.86

     rightsubnet=192.168.1.0/24

     ikelifetime=86400s

     keylife=3600s

     ike=3des-md5-modp1024!

     esp=3des-md5!

     dpdaction=hold

     dpddelay=60

     dpdtimeout=300

     pfs=no

     leftcert=moonCert.pem

     rightcert=/etc/ipsec.d/cacerts/sun.crt

     authby=rsasig

     leftid=@moon   #here I changed to an id which is not in certificate’s subjectAltName

     rightid=@sun    #here I changed to an id which is not in certificate’s subjectAltName

     keyexchange=ikev1

     leftsourceip=192.168.3.1

     auto=start

#end conn test

 

Ipsec status show :

000 "test": 192.168.3.0/24===172.25.24.55[C=CN, ST=JS, O=Genezys, OU=MOON unit,

CN=moon]...172.25.24.86[C=CN, ST=JS, O=Genezys, OU=SUN unit, CN=sun]===192.168.1

.0/24; unrouted; eroute owner: #0

 

 

It looks like if I set left|rightid to another value instead of certificate’s subjectAltName, the strongswan will auto set left|rightid as left|rightcert’s distinguished name of the certificate’s subject.

 

Why do that? I think it is more reasonable keep the id input by user!!

 

My version is strongswan-4.2.8

 

Thanks!

 

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101013/a983519f/attachment.html>

More information about the Users mailing list