[strongSwan] documenting the X509 configuration for a roadwarrior?
Daniel Pocock
daniel at pocock.com.au
Fri Oct 21 09:13:20 CEST 2011
Hi,
Can anyone comment on what I found below, and why using the
leftid=@something in ipsec.conf (as in the test cases) doesn't seem to work?
Regards,
Daniel
On 15/10/11 14:45, Daniel Pocock wrote:
>
>
> Hi,
>
> I found the X.509/roadwarrior/virtual IP stuff didn't work as I was
> expecting, but I did get it working another way
>
> Below I've documented what I found in the docs, and what eventually worked.
>
> Can anyone comment on what I'm doing and that status of the documents I
> referred to?
>
> What sort of certs should be used by roadwarriors? How should they be
> generated? How should they be specified in the config?
>
> Regards,
>
> Daniel
>
>
>
> System info:
> Debian Squeeze (amd64)
> Official Debian packages of StrongSWAN 4.4.1-5.1
>
>
>
> a) I tried copying these configs:
>
> http://www.strongswan.org/uml/testresults/ikev2/ip-pool/
>
> and I followed this doc to create my certs:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
> The cert didn't work, I noticed the following in the log:
>
> Oct 15 12:25:16 moon charon: 04[CFG] id 'moon.example.org' not
> confirmed by certificate, defaulting to 'C=GB, O=Example Limited,
> CN=moon.example.org'
>
>
>
> b) after some Googling, I tried changing the cert:
>
> ipsec pki --pub --in moonKey.der | ipsec pki --issue --cacert caCert.der
> --cakey caKey.der --dn "C=GB, O=Example Limited, CN=moon.example.org"
> --san "DNS:moon.example.org" > moonCert.der
>
> Notice that in this case, I added the subjectAltName DNS:moon.example.org
>
> I saw this error in the output from the `ipsec pki' command:
>
> encoding ID_KEY_ID as subjectAltName not supported
>
> but the DER file was created. Checking the DER file with openssl, I
> couldn't find any subjectAltName
>
>
>
> c) finally, I tried putting full DN in the ipsec.conf (instead of just
> using the @hostname syntax):
>
> #leftid="@moon.example.org"
> leftid="/C=GB/O=Example Limited/CN=moon.example.org"
>
> Doing this on both roadwarrior and gateway host, I got everything working
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list