[strongSwan] ipsec pool file with certificates
Andreas Steffen
andreas.steffen at strongswan.org
Fri Oct 29 14:04:13 CEST 2010
Hello Claude,
it is part of a larger problem. In the near future we should
support UTF-8 encoded strings in X.509 certificates, so that
we have to extend our RDN parser/generator anyway.
As a quick and dirty hack for your problem you could modify
the atodn() function
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/utils/identification.c;h=0696c1030d9bb63fdba5a6dcac34665742a6ab0c;hb=HEAD#l339
by removing all checks for the '/' character, leaving only the
tests for the ',' separator.
Best regards
Andreas
On 29.10.2010 13:41, Claude Tompers wrote:
> Is this something that will be changed in a future release or are
> these characters not allowed in x509 certificates ?
>
> regards, Claude
>
>
> On Friday 29 October 2010 10:50:29 Andreas Steffen wrote:
>> Unfortunately there is currently no workaround.
>>
>> Regards
>>
>> Andreas
>>
>> On 29.10.2010 09:23, Claude Tompers wrote:
>>> Thank you for your quick answer. Is there no way to escape such
>>> characters ? i.e. "ST=n\/a"
>>>
>>> regards, Claude
>>>
>>>
>>>
>>> On Friday 29 October 2010 09:14:43 Andreas Steffen wrote:
>>>> The '/' and ',' characters are reserved for separating the
>>>> individual Relative Distinguished Names (RDNs).
>>>>
>>>> openssl x509 -in carolCert.pem -notext -subject
>>>>
>>>> returns
>>>>
>>>> subject= /C=CH/O=Linux
>>>> strongSwan/OU=Research/CN=carol at strongswan.org
>>>>
>>>> and which can be used with right|leftid.
>>>>
>>>> Thus "ST=n/a" will cause a syntax error.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 29.10.2010 08:10, Claude Tompers wrote:
>>>>> Hello Andreas,
>>>>>
>>>>> I've tried without the double quotes and it makes no
>>>>> difference for me. Could it be that I have an invalid
>>>>> character in my DN ? i.e. "ST=n/a"
>>>>>
>>>>> The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation
>>>>> RESTENA, CN=Test Certificate
>>>>>
>>>>> kind regards, Claude
>>>>>
>>>>>
>>>>>
>>>>> On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote:
>>>>>> Hello Claude,
>>>>>>
>>>>>> the Distinguished Names must be written in the address file
>>>>>> without the double quotes:
>>>>>>
>>>>>> moon ipsec.d # cat addresses.txt 10.3.0.1 10.3.0.2
>>>>>> 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research,
>>>>>> CN=carol at strongswan.org 10.3.0.4=C=CH, O=Linux strongSwan,
>>>>>> OU=Accounting, CN=dave at strongswan.org 10.3.0.5
>>>>>> 10.3.0.6=alice at strongswan.org
>>>>>> 10.3.0.7=venus.strongswan.org 10.3.0.8
>>>>>>
>>>>>> ipsec pool --add bigpool --addresses addresses.txt
>>>>>> --timeout 0
>>>>>>
>>>>>> After setting up a connection each from carol and dave to
>>>>>> gateway moon and taking it down again I get:
>>>>>>
>>>>>> moon ipsec.d # ipsec pool --leases name address
>>>>>> status start end identity bigpool
>>>>>> 10.3.0.3 static Oct 28 23:52:38 2010 Oct 28
>>>>>> 23:53:24 2010 C=CH, O=Linux strongSwan, OU=Research,
>>>>>> CN=carol at strongswan.org bigpool 10.3.0.4 static
>>>>>> Oct 28 23:53:10 2010 Oct 28 23:53:20 2010 C=CH, O=Linux
>>>>>> strongSwan, OU=Accounting, CN=dave at strongswan.org
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> On 10/28/2010 03:52 PM, Claude Tompers wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I get no error, I just don't get the IP address I
>>>>>>> reserved. I'm supposed to get 192.168.122.190 (reserved)
>>>>>>> but I get 192.168.122.129 (the first one in the pool).
>>>>>>>
>>>>>>> So I think that the id in the file, does not match the
>>>>>>> one sent by the client ?
>>>>>>>
>>>>>>> regards, Claude
>>>>>>>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list