[strongSwan] ipsec pool file with certificates

Claude Tompers claude.tompers at restena.lu
Fri Oct 29 14:15:31 CEST 2010 

Hello Andreas,

Thank you very much.

kind regards,
Claude



On Friday 29 October 2010 14:04:13 Andreas Steffen wrote:
> Hello Claude,
> 
> it is part of a larger problem. In the near future we should
> support UTF-8 encoded strings in X.509 certificates, so that
> we have to extend our RDN parser/generator anyway.
> 
> As a quick and dirty hack for your problem you could modify
> the atodn() function
> 
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/utils/identification.c;h=0696c1030d9bb63fdba5a6dcac34665742a6ab0c;hb=HEAD#l339
> 
> by removing all checks for the '/' character, leaving only the
> tests for the ',' separator.
> 
> Best regards
> 
> Andreas
> 
> On 29.10.2010 13:41, Claude Tompers wrote:
> > Is this something that will be changed in a future release or are
> > these characters not allowed in x509 certificates ?
> > 
> > regards, Claude
> > 
> > 
> > On Friday 29 October 2010 10:50:29 Andreas Steffen wrote:
> >> Unfortunately there is currently no workaround.
> >> 
> >> Regards
> >> 
> >> Andreas
> >> 
> >> On 29.10.2010 09:23, Claude Tompers wrote:
> >>> Thank you for your quick answer. Is there no way to escape such
> >>> characters ? i.e. "ST=n\/a"
> >>> 
> >>> regards, Claude
> >>> 
> >>> 
> >>> 
> >>> On Friday 29 October 2010 09:14:43 Andreas Steffen wrote:
> >>>> The '/' and ',' characters are reserved for separating the 
> >>>> individual Relative Distinguished Names (RDNs).
> >>>> 
> >>>> openssl x509 -in carolCert.pem -notext -subject
> >>>> 
> >>>> returns
> >>>> 
> >>>> subject= /C=CH/O=Linux
> >>>> strongSwan/OU=Research/CN=carol at strongswan.org
> >>>> 
> >>>> and which can be used with right|leftid.
> >>>> 
> >>>> Thus "ST=n/a" will cause a syntax error.
> >>>> 
> >>>> Regards
> >>>> 
> >>>> Andreas
> >>>> 
> >>>> On 29.10.2010 08:10, Claude Tompers wrote:
> >>>>> Hello Andreas,
> >>>>> 
> >>>>> I've tried without the double quotes and it makes no
> >>>>> difference for me. Could it be that I have an invalid
> >>>>> character in my DN ? i.e. "ST=n/a"
> >>>>> 
> >>>>> The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation
> >>>>> RESTENA, CN=Test Certificate
> >>>>> 
> >>>>> kind regards, Claude
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote:
> >>>>>> Hello Claude,
> >>>>>> 
> >>>>>> the Distinguished Names must be written in the address file
> >>>>>> without the double quotes:
> >>>>>> 
> >>>>>> moon ipsec.d # cat addresses.txt 10.3.0.1 10.3.0.2 
> >>>>>> 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research,
> >>>>>> CN=carol at strongswan.org 10.3.0.4=C=CH, O=Linux strongSwan,
> >>>>>> OU=Accounting, CN=dave at strongswan.org 10.3.0.5 
> >>>>>> 10.3.0.6=alice at strongswan.org 
> >>>>>> 10.3.0.7=venus.strongswan.org 10.3.0.8
> >>>>>> 
> >>>>>> ipsec pool --add bigpool --addresses addresses.txt
> >>>>>> --timeout 0
> >>>>>> 
> >>>>>> After setting up a connection each from carol and dave to
> >>>>>> gateway moon and taking it down again I get:
> >>>>>> 
> >>>>>> moon ipsec.d # ipsec pool --leases name     address
> >>>>>> status   start                 end identity bigpool
> >>>>>> 10.3.0.3        static   Oct 28 23:52:38 2010  Oct 28
> >>>>>> 23:53:24 2010  C=CH, O=Linux strongSwan, OU=Research,
> >>>>>> CN=carol at strongswan.org bigpool  10.3.0.4        static
> >>>>>> Oct 28 23:53:10 2010  Oct 28 23:53:20 2010  C=CH, O=Linux
> >>>>>> strongSwan, OU=Accounting, CN=dave at strongswan.org
> >>>>>> 
> >>>>>> Best regards
> >>>>>> 
> >>>>>> Andreas
> >>>>>> 
> >>>>>> On 10/28/2010 03:52 PM, Claude Tompers wrote:
> >>>>>>> Hi,
> >>>>>>> 
> >>>>>>> I get no error, I just don't get the IP address I
> >>>>>>> reserved. I'm supposed to get 192.168.122.190 (reserved)
> >>>>>>> but I get 192.168.122.129 (the first one in the pool).
> >>>>>>> 
> >>>>>>> So I think that the id in the file, does not match the
> >>>>>>> one sent by the client ?
> >>>>>>> 
> >>>>>>> regards, Claude
> >>>>>>> 
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101029/9d67dafb/attachment.pgp>

More information about the Users mailing list