[strongSwan] Multiple hostnames same server cert

Andreas Steffen andreas.steffen at strongswan.org
Tue Dec 18 22:03:59 CET 2012 

Hi,

I don't know how your VPN clients behave, but a strongSwan client
never matches a Common Name Relative Distinguished Name (RDN)

    CN=vpn.foo.com

which is part of a subject DN with an IKE IDr of vpn.foo.com,
but does so with subjectAltName X.509v3 certificate extensions.

Actually you could try to add multiple CN RDNs

   --dn "C=CH, O=strongSwan, CN=vpn.foo.com, CN=vpn.bar.com"

which is totally ok with subject DNs.

Regards

Andreas

On 18.12.2012 21:46, kgardenia42 wrote:
> On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hi,
>>
>> while generating your server certificate you can add multiple
>> subjectAltNames:
>>
>>    ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"
>
> If I generate the server cert as per here:
>      http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
>
> Then the hostname is also baked into the "-dn" option.
>
> Example:
> --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com"
>
> In the above case can how does vpn.foo.com being baked into the --dn
> affect my ability to add an extra --san of vpn.bar.com?
>
> Do I need multiple --dn options also?  Or is it an option to not have
> an explicit --dn with the server hostname baked into the --dn?
>
>> If your clients are requesting different IDr identities then
>> you must define two connections
>>
>> conn foo
>>       also=server
>>       leftid=vpn.foo.com
>>       auto=add
>>
>> conn bar
>>       also=server
>>       leftid=vpn.bar.com
>>       auto=add
>>
>> conn server
>>       rightid=%any
>>       ...                      # all other parameters
>>       leftcert=serverCert.pem
>
> Good information.  Thanks.
>
>>
>> On 18.12.2012 17:03, kgardenia42 wrote:
>>>
>>> Hi,
>>>
>>> wrt. to this guide:
>>>      http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>>
>>> I have created my server cert for vpn.foo.com as outlined:
>>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
>>> s.pem --cakey caKey.pem \
>>>             --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>>>             --flag serverAuth --flag ikeIntermediate --outform pem >
>>> serverCert.pem
>>>
>>> However, I want the *same* VPN server to be accessible by clients as
>>> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this?  Do
>>> I need a server cert and traffic selector for each one?
>>>
>>> Or is it somehow possible to hang both hostnames off the same server
>>> cert (preferred)?
>>>
>>> If I need two server certs then can they both use the same CA?  I
>>> assumed so but when I try the above there seems to be some ambiguity
>>> over which traffic selector is selected (well it appears to be the
>>> first one in ipsec.conf).  Is there a known gotcha there or have I
>>> just missed something?  If so I'll start from scratch.
>>>
>>> Thanks.
>>

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121218/d3351339/attachment.bin>

More information about the Users mailing list