[strongSwan] expected record boundary in key

Tobias Brunner tobias at strongswan.org
Tue Feb 7 16:44:34 CET 2012


Hi,

>  When I try to add 'leftcert', I can no longer use PSK.

Well, what's the point of defining a certificate if you want to use a
pre-shared secret for authentication?

>    conn %default
>      ...
>      leftcert=host_domain_tld.pem
>      leftid=@host.domain.tld
> 
>  This gives me the following in the logs:
> 
>    Feb  7 15:35:20 192.168.69.1 pluto[3398]:   id 'host.domain.tld' not 
>  confirmed by certificate, defaulting to 'C=SE, O=Bayour.COM, OU=System, 
>  CN=host.domain.tld, E=turbo at bayour.com'
> 
>  and if removing the leftid:
> 
>    Feb  7 15:36:28 192.168.69.1 pluto[3466]:   id '%any' not confirmed 
>  by certificate, defaulting to 'C=SE, O=Bayour.COM, OU=System, 
>  CN=host.domain.tld, E=turbo at bayour.com'

If leftid is not specified it defaults to the certificate's subject if a
certificate is specified (otherwise the local IP address is used as ID).
 If both leftid and leftcert are specified, leftid has to match the
subject or one of the subjectAltNames of the certificate, otherwise it
defaults back to the subject (which is what happened in the first case
above).  That is, if you want to use @host.domain.ltd as leftid you have
to add DNS:host.domain.ltd as subjectAltName to your certificate.

>    "C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, 
>  E=turbo at bayour.com" <A_RIGHTID_IP> : PSK "SomESecReet"
>    "C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, 
>  E=turbo at bayour.com" %any : PSK "aNothEERseCreT"

There is currently no support to use DNs as ID selectors in
ipsec.secrets.  As indicated by my initial question above this wouldn't
make much sense anyway.

Regards,
Tobias




More information about the Users mailing list