[strongSwan] leftID and rightID

nima chavooshi nima0102 at gmail.com
Mon Sep 26 07:17:35 CEST 2011

Realy thanks for your attention and complete reply.
Then,according to your explanation it's better that i set SubjectAltName
instead of DN,is that tru?
In prevoius mail,you told if I do not set leftid or my cerificate does not
contain DN or SubjectAltName,then one default value will be selected,ok,but
what is this value?
In order to restrict and increase security in connection phase of tow
gateway it's better I set DN or SubjectAltName so that only gateway i want,
can connect to my gateway.

thanks a lot for your help.
On Sunday, September 25, 2011, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> The subject distinguished name or subject DN of an X.509 certificate
> consists of several Relative Distinguished Names (RDNs) and therefore
> can be quite tiresome to write as in
> "C=DE, ST=Mecklenburg-Vorpommern, L=Rostock, O=Finanzamt,
>  OU=Zentrale Informations- und Annahmestelle, CN=steuerportal-mv.de,
>  E=poststelle at fm.mv-regierung.de"
> Therefore often one or several subjectAlternativeNames or Aliases
> are added as X.509v3 extensions to a certificate, like e.g.
>  DNS:moon.strongswan.org
>  email:carol at strongswan.org
>  IP:
> (given in openssl.cnf notation) which saves a lot of typing work and
> helps to eliminate errors.
> Regards
> Andreas
> On 09/25/2011 02:58 PM, nima chavooshi wrote:
>> Hi
>> Thanks a lot for your quick reply.
>> Excuse me for my dummy question.I am some confused.
>> May you give me more explanation about "subject distinguished name",
>> "subjectAltName", "subject DN" field on X509 certification?
>> According to your told, I should define lefid at least, is that true ?
>> Thanks in advance for any help or guidance
>> On Sun, Sep 25, 2011 at 2:16 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>> wrote:
>>     Hello,
>>     left|rightid *must* be either the subject distinguished name or
>>     a subjectAltName extension contained in the certificate. If you
>>     don't define leftid or if leftid is not defined in the certificate
>>     then automatically the subject DN is assumed as a default.
>>     As a responder you can define rightid=%any, in that case any
>>     peer with a trusted and non-revoked certificate will be accepted.
>>     Regards
>>     Andreas
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110926/3e1a15ce/attachment.html>

More information about the Users mailing list