[strongSwan] documenting the X509 configuration for a roadwarrior?
Martin Willi
martin at strongswan.org
Fri Oct 21 09:32:35 CEST 2011
Hi,
> id 'moon.example.org' not confirmed by certificate, defaulting to
> 'C=GB, O=Example Limited, CN=moon.example.org'
When using certificates, the IKE identity should be contained in the
certificate to allow the other peer to find the required cert. This is
enforced for local certificates.
It is not sufficient to have a CN that matches, as unlike in many SSL
implementations we compare the full DN. You'll have to add a
subjectAltName moon.example.org to your certificate if you'd like to use
this identity.
> ipsec pki --pub --in moonKey.der | ipsec pki --issue --cacert caCert.der
> --cakey caKey.der --dn "C=GB, O=Example Limited, CN=moon.example.org"
> --san "DNS:moon.example.org" > moonCert.der
DNS:moon.example.org is the OpenSSL way of representing a
subjectAltName. If you use our PKI tool, just add --san
moon.example.org, it automatically figures out that this is a DNS type
subjectAltName.
> I tried putting full DN in the ipsec.conf (instead of just using the
> @hostname syntax):
Yes, because the ID now matches to your certificate.
Regards
Martin
More information about the Users
mailing list