[strongSwan] Multiple hostnames same server cert
Andreas Steffen
andreas.steffen at strongswan.org
Tue Dec 18 22:03:59 CET 2012
Hi,
I don't know how your VPN clients behave, but a strongSwan client
never matches a Common Name Relative Distinguished Name (RDN)
CN=vpn.foo.com
which is part of a subject DN with an IKE IDr of vpn.foo.com,
but does so with subjectAltName X.509v3 certificate extensions.
Actually you could try to add multiple CN RDNs
--dn "C=CH, O=strongSwan, CN=vpn.foo.com, CN=vpn.bar.com"
which is totally ok with subject DNs.
Regards
Andreas
On 18.12.2012 21:46, kgardenia42 wrote:
> On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hi,
>>
>> while generating your server certificate you can add multiple
>> subjectAltNames:
>>
>> ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"
>
> If I generate the server cert as per here:
> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
>
> Then the hostname is also baked into the "-dn" option.
>
> Example:
> --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com"
>
> In the above case can how does vpn.foo.com being baked into the --dn
> affect my ability to add an extra --san of vpn.bar.com?
>
> Do I need multiple --dn options also? Or is it an option to not have
> an explicit --dn with the server hostname baked into the --dn?
>
>> If your clients are requesting different IDr identities then
>> you must define two connections
>>
>> conn foo
>> also=server
>> leftid=vpn.foo.com
>> auto=add
>>
>> conn bar
>> also=server
>> leftid=vpn.bar.com
>> auto=add
>>
>> conn server
>> rightid=%any
>> ... # all other parameters
>> leftcert=serverCert.pem
>
> Good information. Thanks.
>
>>
>> On 18.12.2012 17:03, kgardenia42 wrote:
>>>
>>> Hi,
>>>
>>> wrt. to this guide:
>>> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>>
>>> I have created my server cert for vpn.foo.com as outlined:
>>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
>>> s.pem --cakey caKey.pem \
>>> --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
>>> --flag serverAuth --flag ikeIntermediate --outform pem >
>>> serverCert.pem
>>>
>>> However, I want the *same* VPN server to be accessible by clients as
>>> *both* vpn.foo.com and vpn.bar.com then how can I accomplish this? Do
>>> I need a server cert and traffic selector for each one?
>>>
>>> Or is it somehow possible to hang both hostnames off the same server
>>> cert (preferred)?
>>>
>>> If I need two server certs then can they both use the same CA? I
>>> assumed so but when I try the above there seems to be some ambiguity
>>> over which traffic selector is selected (well it appears to be the
>>> first one in ipsec.conf). Is there a known gotcha there or have I
>>> just missed something? If so I'll start from scratch.
>>>
>>> Thanks.
>>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121218/d3351339/attachment.bin>
More information about the Users
mailing list