[strongSwan] DHCP plugin static client id wrong format

[g s]

Hello Martin,

Thank you for your answer – it was very helpful. It would be useful if the
identifier the client uses to authenticate itself could be changed.
However, I now understand that I will need to handle the variability of the
peer identifiers to use DHCP static address assignment.

Best Regards,
gs


On Wed, Feb 13, 2013 at 4:40 AM, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > the DHCP Request’s Client Identifier field is set to the DER ASN1 DN
> > identifier of the client. I expected to see the FQDN in this field so
> > that it could be used for pre-configured static assignment in the DHCP
> > server’s configuration file.
>
> The identity used in the Client Identifier is the one the IKE peer used
> to authenticate itself in the IKE IDi payload (C=US, O=Sample,
> CN=rw1.sample.org). This is the case for all IP pool backends. While we
> could use another identity from the certificate, this is tricky: Which
> one should we choose if there are multiple types, or even multiple
> subjectAltNames for the same type?
>
> The Android client authenticates itself with the certificate subject
> when using certificate authentication, wich is a full Distinguished
> Name.
>
> @Tobias, there is currently no way to change that, right?
>
> > I also attached rightid_dns showing the failure of the SA establishment
> if
> > rightid is set to the DNS of the client.
>
> If the rightid is set this way, the identity the client uses does not
> match anymore to your server connection. The peer gets rejected.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130213/a54e7c80/attachment.html>