[strongSwan] documenting the X509 configuration for a roadwarrior?
Daniel Pocock
daniel at pocock.com.au
Sat Oct 15 14:45:31 CEST 2011
Hi,
I found the X.509/roadwarrior/virtual IP stuff didn't work as I was
expecting, but I did get it working another way
Below I've documented what I found in the docs, and what eventually worked.
Can anyone comment on what I'm doing and that status of the documents I
referred to?
What sort of certs should be used by roadwarriors? How should they be
generated? How should they be specified in the config?
Regards,
Daniel
System info:
Debian Squeeze (amd64)
Official Debian packages of StrongSWAN 4.4.1-5.1
a) I tried copying these configs:
http://www.strongswan.org/uml/testresults/ikev2/ip-pool/
and I followed this doc to create my certs:
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
The cert didn't work, I noticed the following in the log:
Oct 15 12:25:16 moon charon: 04[CFG] id 'moon.example.org' not
confirmed by certificate, defaulting to 'C=GB, O=Example Limited,
CN=moon.example.org'
b) after some Googling, I tried changing the cert:
ipsec pki --pub --in moonKey.der | ipsec pki --issue --cacert caCert.der
--cakey caKey.der --dn "C=GB, O=Example Limited, CN=moon.example.org"
--san "DNS:moon.example.org" > moonCert.der
Notice that in this case, I added the subjectAltName DNS:moon.example.org
I saw this error in the output from the `ipsec pki' command:
encoding ID_KEY_ID as subjectAltName not supported
but the DER file was created. Checking the DER file with openssl, I
couldn't find any subjectAltName
c) finally, I tried putting full DN in the ipsec.conf (instead of just
using the @hostname syntax):
#leftid="@moon.example.org"
leftid="/C=GB/O=Example Limited/CN=moon.example.org"
Doing this on both roadwarrior and gateway host, I got everything working
More information about the Users
mailing list