[strongSwan] the relationship about certificate and id

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 14 09:51:57 CEST 2010 

Hello Brian,

usually you know in advance which subjectAltNames are contained
in your certificate. Since you transmit your ID to the peer together
with your certificate, the peer will check if the ID is contained
in the certificate. All other IDs will be rejected. Therefore it makes
sense to use the subject DN as a fallback, since it will always be
accepted if your certificate is valid.

Regards

Andreas

On 14.10.2010 03:55, Brian Zhao - 赵宪鹏 wrote:
> Hi Andreas,
> 
> Thanks for your reply!!! Could you tell me why do that fall back? As
> you said, left|rightid will have no sense? Because if I inputed an
> error ID, it will fall back to the subjectDistinguishedName of the
> certificate, so also can establish the tunnel!
> 
> To better use ID, we must know subjectAltName in the certificate
> first?
> 
> Thanks!!
> 
> Best regards, Brian zhao#15138 msn:brian_zhao1987 at hotmail.com 
> -----Original Message----- From: Andreas Steffen
> [mailto:andreas.steffen at strongswan.org] Sent: 2010年10月13日 20:51 To:
> Brian Zhao - 赵宪鹏 Cc: users at lists.strongswan.org Subject: Re:
> [strongSwan] the relationship about certificate and id
> 
> Hi Brian,
> 
> strongSwan's policy is to fall back to the subjectDistinguishedName 
> of the certificate if leftid is not contained as a subjectAltName in
> the certificate. And we don't have any intention to change this.
> 
> Kind regards
> 
> Andreas
> 
> 
> On 10/13/2010 10:48 AM, Brian Zhao - 赵宪鹏 wrote:
>> Hi list,
>> 
>> I am very confuse about the relationship of id and certificate.
>> 
>> 
>> 
>> I have read the README, it is hard to understand.
>> 
>> “The ID by which a peer is identifying itself during IKE main mode
>> can by any of
>> 
>> the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of
>> the first
>> 
>> three ID types is used, then the accompanying X.509 certificate of
>> the peer
>> 
>> must contain a matching subjectAltName field of the type ipAddress
>> (IP:),
>> 
>> dnsName (DNS:) or rfc822Name (email:), respectively. With the
>> fourth type
>> 
>> DER_ASN1_DN the identifier must completely match the subject field
>> of the
>> 
>> peer's certificate.”
>> 
>> 
>> 
>> moonCert.pem have subjectAltName moon.com, and sun.crt have 
>> subjectAltName sun.com
>> 
>> when my configure file like this:
>> 
>> config setup
>> 
>> plutodebug=control
>> 
>> nat_traversal=yes
>> 
>> 
>> 
>> #start conn test
>> 
>> conn test
>> 
>> left=172.25.24.55
>> 
>> leftsubnet=192.168.3.0/24
>> 
>> leftfirewall=yes
>> 
>> right=172.25.24.86
>> 
>> rightsubnet=192.168.1.0/24
>> 
>> ikelifetime=86400s
>> 
>> keylife=3600s
>> 
>> ike=3des-md5-modp1024!
>> 
>> esp=3des-md5!
>> 
>> dpdaction=hold
>> 
>> dpddelay=60
>> 
>> dpdtimeout=300
>> 
>> pfs=no
>> 
>> leftcert=moonCert.pem
>> 
>> rightcert=/etc/ipsec.d/cacerts/sun.crt
>> 
>> authby=rsasig
>> 
>> leftid=@moon.com <mailto:leftid=@moon.com>  #here id is 
>> certificate’s subjectAltName
>> 
>> rightid=@sun.com <mailto:rightid=@sun.com>   #here id is 
>> certificate’s subjectAltName
>> 
>> keyexchange=ikev1
>> 
>> leftsourceip=192.168.3.1
>> 
>> auto=start
>> 
>> #end conn test
>> 
>> Ipsec status will show
>> 
>> "test": 
>> 192.168.3.0/24===172.25.24.55[@moon.com]...172.25.24.86[@sun.com]===
>>
>>
>> 
192.168.1.0/24; erouted; eroute owner: #7
>> 
>> 
>> 
>> But when I change ipsec.conf to this:
>> 
>> 
>> 
>> config setup
>> 
>> plutodebug=control
>> 
>> nat_traversal=yes
>> 
>> 
>> 
>> #start conn test
>> 
>> conn test
>> 
>> left=172.25.24.55
>> 
>> leftsubnet=192.168.3.0/24
>> 
>> leftfirewall=yes
>> 
>> right=172.25.24.86
>> 
>> rightsubnet=192.168.1.0/24
>> 
>> ikelifetime=86400s
>> 
>> keylife=3600s
>> 
>> ike=3des-md5-modp1024!
>> 
>> esp=3des-md5!
>> 
>> dpdaction=hold
>> 
>> dpddelay=60
>> 
>> dpdtimeout=300
>> 
>> pfs=no
>> 
>> leftcert=moonCert.pem
>> 
>> rightcert=/etc/ipsec.d/cacerts/sun.crt
>> 
>> authby=rsasig
>> 
>> leftid=@moon   #here I changed to an id which is not in 
>> certificate’s subjectAltName
>> 
>> rightid=@sun    #here I changed to an id which is not in 
>> certificate’s subjectAltName
>> 
>> keyexchange=ikev1
>> 
>> leftsourceip=192.168.3.1
>> 
>> auto=start
>> 
>> #end conn test
>> 
>> 
>> 
>> Ipsec status show :
>> 
>> 000 "test": 192.168.3.0/24===172.25.24.55[C=CN, ST=JS, O=Genezys, 
>> OU=MOON unit,
>> 
>> CN=moon]...172.25.24.86[C=CN, ST=JS, O=Genezys, OU=SUN unit, 
>> CN=sun]===192.168.1
>> 
>> .0/24; unrouted; eroute owner: #0
>> 
>> 
>> 
>> 
>> 
>> It looks like if I set left|rightid to another value instead of 
>> certificate’s subjectAltName, the strongswan will auto set
>> left|rightid as left|rightcert’s distinguished name of the
>> certificate’s subject.
>> 
>> 
>> 
>> Why do that? I think it is more reasonable keep the id input by
>> user!!
>> 
>> 
>> 
>> My version is strongswan-4.2.8
>> 
>> 
>> 
>> Thanks!
>> 
>> 
>> 
>> Brian

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list