[strongSwan] Multiple hostnames same server cert
kgardenia42
kgardenia42 at googlemail.com
Tue Dec 18 21:46:23 CET 2012
On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi,
>
> while generating your server certificate you can add multiple
> subjectAltNames:
>
> ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"
If I generate the server cert as per here:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
Then the hostname is also baked into the "-dn" option.
Example:
--dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com"
In the above case can how does vpn.foo.com being baked into the --dn
affect my ability to add an extra --san of vpn.bar.com?
Do I need multiple --dn options also? Or is it an option to not have
an explicit --dn with the server hostname baked into the --dn?
> If your clients are requesting different IDr identities then
> you must define two connections
>
> conn foo
> also=server
> leftid=vpn.foo.com
> auto=add
>
> conn bar
> also=server
> leftid=vpn.bar.com
> auto=add
>
> conn server
> rightid=%any
> ... # all other parameters
> leftcert=serverCert.pem
Good information. Thanks.
>
> On 18.12.2012 17:03, kgardenia42 wrote:
>>
>> Hi,
>>
>> wrt. to this guide:
>> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>
>> I have created my server cert for vpn.foo.com as outlined:
>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
>> s.pem --cakey caKey.pem \
>> --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>> --flag serverAuth --flag ikeIntermediate --outform pem >
>> serverCert.pem
>>
>> However, I want the *same* VPN server to be accessible by clients as
>> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this? Do
>> I need a server cert and traffic selector for each one?
>>
>> Or is it somehow possible to hang both hostnames off the same server
>> cert (preferred)?
>>
>> If I need two server certs then can they both use the same CA? I
>> assumed so but when I try the above there seems to be some ambiguity
>> over which traffic selector is selected (well it appears to be the
>> first one in ipsec.conf). Is there a known gotcha there or have I
>> just missed something? If so I'll start from scratch.
>>
>> Thanks.
>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list