[strongSwan] Multiple hostnames same server cert
kgardenia42 at googlemail.com
Tue Dec 18 21:46:23 CET 2012
On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> while generating your server certificate you can add multiple
> ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"
If I generate the server cert as per here:
Then the hostname is also baked into the "-dn" option.
--dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com"
In the above case can how does vpn.foo.com being baked into the --dn
affect my ability to add an extra --san of vpn.bar.com?
Do I need multiple --dn options also? Or is it an option to not have
an explicit --dn with the server hostname baked into the --dn?
> If your clients are requesting different IDr identities then
> you must define two connections
> conn foo
> conn bar
> conn server
> ... # all other parameters
Good information. Thanks.
> On 18.12.2012 17:03, kgardenia42 wrote:
>> wrt. to this guide:
>> I have created my server cert for vpn.foo.com as outlined:
>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
>> s.pem --cakey caKey.pem \
>> --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>> --flag serverAuth --flag ikeIntermediate --outform pem >
>> However, I want the *same* VPN server to be accessible by clients as
>> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this? Do
>> I need a server cert and traffic selector for each one?
>> Or is it somehow possible to hang both hostnames off the same server
>> cert (preferred)?
>> If I need two server certs then can they both use the same CA? I
>> assumed so but when I try the above there seems to be some ambiguity
>> over which traffic selector is selected (well it appears to be the
>> first one in ipsec.conf). Is there a known gotcha there or have I
>> just missed something? If so I'll start from scratch.
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
More information about the Users