[strongSwan] DHCP plugin static client id wrong format

Daniel Pocock daniel at pocock.com.au
Fri Jul 5 11:19:18 CEST 2013


On 13/02/13 12:40, Martin Willi wrote:
> Hi,
>
>> the DHCP Request’s Client Identifier field is set to the DER ASN1 DN 
>> identifier of the client. I expected to see the FQDN in this field so
>> that it could be used for pre-configured static assignment in the DHCP
>> server’s configuration file.
> The identity used in the Client Identifier is the one the IKE peer used
> to authenticate itself in the IKE IDi payload (C=US, O=Sample,
> CN=rw1.sample.org). This is the case for all IP pool backends. While we
> could use another identity from the certificate, this is tricky: Which
> one should we choose if there are multiple types, or even multiple
> subjectAltNames for the same type?

I agree this is tricky but it may be something that could be
configurable for each site.

For example, many road warriors only have a single SAN in their cert (if
any SAN at all).  A safer default may be to work through the following list:
a) if SAN exists, use it
b) if DN contains a CN value, use that (not full DN)
c) send full DN (as it is now) as client identifier

Some people may want to strip the domain and just send the hostname as
the client ID (not the full FQDN) - this would be a nice config option
for the dhcp plugin







More information about the Users mailing list