[strongSwan] ipsec pool file with certificates

Fri Oct 29 09:23:11 CEST 2010

Thank you for your quick answer.
Is there no way to escape such characters ? i.e. "ST=n\/a"

regards,
Claude

On Friday 29 October 2010 09:14:43 Andreas Steffen wrote:
> The '/' and ',' characters are reserved for separating the
> individual Relative Distinguished Names (RDNs).
> 
>   openssl x509 -in carolCert.pem -notext -subject
> 
> returns
> 
>   subject= /C=CH/O=Linux strongSwan/OU=Research/CN=carol at strongswan.org
> 
> and which can be used with right|leftid.
> 
> Thus "ST=n/a" will cause a syntax error.
> 
> Regards
> 
> Andreas
> 
> On 29.10.2010 08:10, Claude Tompers wrote:
> > Hello Andreas,
> > 
> > I've tried without the double quotes and it makes no difference for me.
> > Could it be that I have an invalid character in my DN ? i.e. "ST=n/a"
> > 
> > The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate
> > 
> > kind regards,
> > Claude
> > 
> > 
> > 
> > On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote:
> >> Hello Claude,
> >>
> >> the Distinguished Names must be written in the address file without
> >> the double quotes:
> >>
> >> moon ipsec.d # cat addresses.txt
> >> 10.3.0.1
> >> 10.3.0.2
> >> 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research, CN=carol at strongswan.org
> >> 10.3.0.4=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave at strongswan.org
> >> 10.3.0.5
> >> 10.3.0.6=alice at strongswan.org
> >> 10.3.0.7=venus.strongswan.org
> >> 10.3.0.8
> >>
> >> ipsec pool --add bigpool --addresses addresses.txt --timeout 0
> >>
> >> After setting up a connection each from carol and dave to gateway moon
> >> and taking it down again I get:
> >>
> >> moon ipsec.d # ipsec pool --leases
> >> name     address         status   start                 end 
> >>        identity
> >> bigpool  10.3.0.3        static   Oct 28 23:52:38 2010  Oct 28 23:53:24 
> >> 2010  C=CH, O=Linux strongSwan, OU=Research, CN=carol at strongswan.org
> >> bigpool  10.3.0.4        static   Oct 28 23:53:10 2010  Oct 28 23:53:20 
> >> 2010  C=CH, O=Linux strongSwan, OU=Accounting, CN=dave at strongswan.org
> >>
> >> Best regards
> >>
> >> Andreas
> >>
> >> On 10/28/2010 03:52 PM, Claude Tompers wrote:
> >>> Hi,
> >>>
> >>> I get no error, I just don't get the IP address I reserved. I'm supposed to get 192.168.122.190 (reserved) but I get 192.168.122.129 (the first one in the pool).
> >>>
> >>> So I think that the id in the file, does not match the one sent by the client ?
> >>>
> >>> regards,
> >>> Claude
> >>>
> >>>
> >>> On Thursday 28 October 2010 15:48:48 Martin Willi wrote:
> >>>> Hi,
> >>>>
> >>>>> ipsec pool --add ikev1 --addresses /path/to/ikev1.addr --timeout 48
> >>>>
> >>>> I see.
> >>>>
> >>>>> Should I write 192.168.122.190="X'302431133011060355040a130a7374726f6e677377616e310d300b0603550403130474657374'" into the file ?
> >>>>
> >>>> No, the address file parser does this conversion for you, no need for
> >>>> manual conversion.
> >>>>
> >>>>> It does not work for users that authenticate with a certificate
> >>>>
> >>>> What does not work? Do you get an error?
> >>>>
> >>>> Regards
> >>>> Martin
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101029/f0b250ce/attachment.pgp>