[strongSwan] the relationship about certificate and id
Andreas Steffen
andreas.steffen at strongswan.org
Wed Oct 13 14:50:50 CEST 2010
Hi Brian,
strongSwan's policy is to fall back to the subjectDistinguishedName
of the certificate if leftid is not contained as a subjectAltName
in the certificate. And we don't have any intention to change this.
Kind regards
Andreas
On 10/13/2010 10:48 AM, Brian Zhao - 赵宪鹏 wrote:
> Hi list,
>
> I am very confuse about the relationship of id and certificate.
>
>
>
> I have read the README, it is hard to understand.
>
> “The ID by which a peer is identifying itself during IKE main mode can
> by any of
>
> the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first
>
> three ID types is used, then the accompanying X.509 certificate of the peer
>
> must contain a matching subjectAltName field of the type ipAddress (IP:),
>
> dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type
>
> DER_ASN1_DN the identifier must completely match the subject field of the
>
> peer's certificate.”
>
>
>
> moonCert.pem have subjectAltName moon.com, and sun.crt have
> subjectAltName sun.com
>
> when my configure file like this:
>
> config setup
>
> plutodebug=control
>
> nat_traversal=yes
>
>
>
> #start conn test
>
> conn test
>
> left=172.25.24.55
>
> leftsubnet=192.168.3.0/24
>
> leftfirewall=yes
>
> right=172.25.24.86
>
> rightsubnet=192.168.1.0/24
>
> ikelifetime=86400s
>
> keylife=3600s
>
> ike=3des-md5-modp1024!
>
> esp=3des-md5!
>
> dpdaction=hold
>
> dpddelay=60
>
> dpdtimeout=300
>
> pfs=no
>
> leftcert=moonCert.pem
>
> rightcert=/etc/ipsec.d/cacerts/sun.crt
>
> authby=rsasig
>
> leftid=@moon.com <mailto:leftid=@moon.com> #here id is
> certificate’s subjectAltName
>
> rightid=@sun.com <mailto:rightid=@sun.com> #here id is
> certificate’s subjectAltName
>
> keyexchange=ikev1
>
> leftsourceip=192.168.3.1
>
> auto=start
>
> #end conn test
>
> Ipsec status will show
>
> "test":
> 192.168.3.0/24===172.25.24.55[@moon.com]...172.25.24.86[@sun.com]===
>
> 192.168.1.0/24; erouted; eroute owner: #7
>
>
>
> But when I change ipsec.conf to this:
>
>
>
> config setup
>
> plutodebug=control
>
> nat_traversal=yes
>
>
>
> #start conn test
>
> conn test
>
> left=172.25.24.55
>
> leftsubnet=192.168.3.0/24
>
> leftfirewall=yes
>
> right=172.25.24.86
>
> rightsubnet=192.168.1.0/24
>
> ikelifetime=86400s
>
> keylife=3600s
>
> ike=3des-md5-modp1024!
>
> esp=3des-md5!
>
> dpdaction=hold
>
> dpddelay=60
>
> dpdtimeout=300
>
> pfs=no
>
> leftcert=moonCert.pem
>
> rightcert=/etc/ipsec.d/cacerts/sun.crt
>
> authby=rsasig
>
> leftid=@moon #here I changed to an id which is not in
> certificate’s subjectAltName
>
> rightid=@sun #here I changed to an id which is not in
> certificate’s subjectAltName
>
> keyexchange=ikev1
>
> leftsourceip=192.168.3.1
>
> auto=start
>
> #end conn test
>
>
>
> Ipsec status show :
>
> 000 "test": 192.168.3.0/24===172.25.24.55[C=CN, ST=JS, O=Genezys,
> OU=MOON unit,
>
> CN=moon]...172.25.24.86[C=CN, ST=JS, O=Genezys, OU=SUN unit,
> CN=sun]===192.168.1
>
> .0/24; unrouted; eroute owner: #0
>
>
>
>
>
> It looks like if I set left|rightid to another value instead of
> certificate’s subjectAltName, the strongswan will auto set left|rightid
> as left|rightcert’s distinguished name of the certificate’s subject.
>
>
>
> Why do that? I think it is more reasonable keep the id input by user!!
>
>
>
> My version is strongswan-4.2.8
>
>
>
> Thanks!
>
>
>
> Brian
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list