[strongSwan] Multiple hostnames same server cert

kgardenia42 kgardenia42 at googlemail.com
Tue Dec 18 21:46:23 CET 2012 

On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi,
>
> while generating your server certificate you can add multiple
> subjectAltNames:
>
>   ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"

If I generate the server cert as per here:
    http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29

Then the hostname is also baked into the "-dn" option.

Example:
--dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com"

In the above case can how does vpn.foo.com being baked into the --dn
affect my ability to add an extra --san of vpn.bar.com?

Do I need multiple --dn options also?  Or is it an option to not have
an explicit --dn with the server hostname baked into the --dn?

> If your clients are requesting different IDr identities then
> you must define two connections
>
> conn foo
>      also=server
>      leftid=vpn.foo.com
>      auto=add
>
> conn bar
>      also=server
>      leftid=vpn.bar.com
>      auto=add
>
> conn server
>      rightid=%any
>      ...                      # all other parameters
>      leftcert=serverCert.pem

Good information.  Thanks.

>
> On 18.12.2012 17:03, kgardenia42 wrote:
>>
>> Hi,
>>
>> wrt. to this guide:
>>     http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>
>> I have created my server cert for vpn.foo.com as outlined:
>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
>> s.pem --cakey caKey.pem \
>>            --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>>            --flag serverAuth --flag ikeIntermediate --outform pem >
>> serverCert.pem
>>
>> However, I want the *same* VPN server to be accessible by clients as
>> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this?  Do
>> I need a server cert and traffic selector for each one?
>>
>> Or is it somehow possible to hang both hostnames off the same server
>> cert (preferred)?
>>
>> If I need two server certs then can they both use the same CA?  I
>> assumed so but when I try the above there seems to be some ambiguity
>> over which traffic selector is selected (well it appears to be the
>> first one in ipsec.conf).  Is there a known gotcha there or have I
>> just missed something?  If so I'll start from scratch.
>>
>> Thanks.
>
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list