[strongSwan] DHCP plugin static client id wrong format

Martin Willi martin at strongswan.org
Wed Feb 13 12:40:56 CET 2013


Hi,

> the DHCP Request’s Client Identifier field is set to the DER ASN1 DN 
> identifier of the client. I expected to see the FQDN in this field so
> that it could be used for pre-configured static assignment in the DHCP
> server’s configuration file.

The identity used in the Client Identifier is the one the IKE peer used
to authenticate itself in the IKE IDi payload (C=US, O=Sample,
CN=rw1.sample.org). This is the case for all IP pool backends. While we
could use another identity from the certificate, this is tricky: Which
one should we choose if there are multiple types, or even multiple
subjectAltNames for the same type?

The Android client authenticates itself with the certificate subject
when using certificate authentication, wich is a full Distinguished
Name.

@Tobias, there is currently no way to change that, right?

> I also attached rightid_dns showing the failure of the SA establishment if
> rightid is set to the DNS of the client.

If the rightid is set this way, the identity the client uses does not
match anymore to your server connection. The peer gets rejected.

Regards
Martin





More information about the Users mailing list