[strongSwan] Multiple hostnames same server cert

Andreas Steffen andreas.steffen at strongswan.org
Tue Dec 18 19:09:08 CET 2012


while generating your server certificate you can add multiple

   ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"

If your clients are requesting different IDr identities then
you must define two connections

conn foo

conn bar

conn server
      ...                      # all other parameters



On 18.12.2012 17:03, kgardenia42 wrote:
> Hi,
> wrt. to this guide:
>     http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> I have created my server cert for vpn.foo.com as outlined:
> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
> s.pem --cakey caKey.pem \
>            --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>            --flag serverAuth --flag ikeIntermediate --outform pem >
> serverCert.pem
> However, I want the *same* VPN server to be accessible by clients as
> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this?  Do
> I need a server cert and traffic selector for each one?
> Or is it somehow possible to hang both hostnames off the same server
> cert (preferred)?
> If I need two server certs then can they both use the same CA?  I
> assumed so but when I try the above there seems to be some ambiguity
> over which traffic selector is selected (well it appears to be the
> first one in ipsec.conf).  Is there a known gotcha there or have I
> just missed something?  If so I'll start from scratch.
> Thanks.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121218/26f03674/attachment.bin>

More information about the Users mailing list