[strongSwan] FQDN based certificate authentication for ikev2

Reshma Begam reshma.begam at gmail.com
Tue Apr 3 10:54:16 CEST 2012


Hi Andreas,

Sorry for continuous queries but  needed some info on ipsec.conf for
certificates so please do the needful .

 From your last mial do you mean leftid=%fromcert will set id type as
subjectDN by default? i.e  with  below value in my case?
 subject:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=ATCA_cla, E=gianluigi.ongaro at nsn.com"

Also, if 10.0.0.1 (please refer my previous mail) is the initiator  with
leftid type as always ipaddress  and i want to accept all peer id
types(fqdn/dn/ipaddress) how should be the values of right, left , rightid
and leftid on 10.0.0.1 side ? Can this be achieved by magic values or wild
card entries in simple way, without explicitly specifying them.

(Or )

Any ipsec.conf  option exist to ignore identity check of peer .



Thanks,
Reshma

*# /usr/local/6bin/ipsec stroke listall*
List of X.509 End Entity Certificates:

  altNames:  cla.atca.nsn.com
  subject:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=ATCA_cla, E=gianluigi.ongaro at nsn.com"
  issuer:   "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
  serial:    03
  validity:  not before Mar 31 09:14:01 2012, ok
             not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
  pubkey:    RSA 1024 bits, has private key
  keyid:     82:8e:cf:f7:a0:81:9e:00:77:0b:
d7:ee:6f:f7:43:8a:d2:73:e4:af
  subjkey:   5f:ed:01:a0:a6:18:fd:12:dd:18:e1:fe:d4:76:a2:ea:4c:8f:e2:74

List of X.509 CA Certificates:

  subject:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
  issuer:   "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
  serial:    00:a9:d9:3d:5e:b8:7b:a3:4d
  validity:  not before Mar 31 09:14:01 2012, ok
             not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
  pubkey:    RSA 1024 bits
  keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:cf:4c:bc:f3:31:d1:47:03:1e:d5
  subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
  authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f


On Mon, Apr 2, 2012 at 3:48 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Reshma,
>
> by default the certificate's subjectDistinguishedName is used as
> an ID. There is no mechanism to automatically assign subjectAltNames.
>
> What should we do if several subjectAltNames exist?
>
> Regards
>
> Andreas
>
> On 02.04.2012 11:14, Reshma Begam wrote:
> > Hi Andreas,
> >
> >  Thanks for the response and this works.
> >
> > Also, how can we assign identity info from cert files to  leftid/rightid
> > ?  instead of explicitly defining them.
> >
> > Example:  I am looking something like leftid=%fromcert
> >
> > leftid=%fromcert and leftid=%leftcert -->  I tried both these options on
> > responder side instead of   leftid=cla.atca.nsn.com
> > <http://cla.atca.nsn.com/>, but it doesn't work.
> >
> > Could you please comment what should be the wild card entries on both
> > sides to acheive this assignments using certs?
> >
> > Thanks,
> > Reshma
> >
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>


-- 

Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/4a4d2cee/attachment.html>


More information about the Users mailing list