[strongSwan] understanding %fromcert

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 15 12:51:25 CEST 2013

Hello Daniel,


is an OpenSwan option not supported by strongSwan. The strongSwan
configuration is

   leftid=carol at strongswan.org

or simply


If leftid is missing then left, i.e. the IP address is chosen by
default for leftid but since the IP address usually is not
contained as a subjectAltName in the certificate, the fallback
is for leftid to assume the value of the subject Distinguished
Name as e.g.

   leftid="C=CH, O=strongSwan, CN=carol at strongswan.org"



On 15.07.2013 12:38, Daniel Pocock wrote:
> Hi,
> I notice the ipsec.conf man page found in Google states that %fromcert
> uses the DN:
> http://linux.die.net/man/5/ipsec.conf
> while the wiki page doesn't mention %fromcert but talks about "%":
> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
> Can somebody clarify this?  In particular, if there is both a DN and one
> or more subjectAltName values, how does it choose which one to send?
> Will it try them all?
> Regards,
> Daniel
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130715/a441c457/attachment.bin>

More information about the Users mailing list