[strongSwan] understanding %fromcert

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 15 12:51:25 CEST 2013


Hello Daniel,

leftid=%fromcert

is an OpenSwan option not supported by strongSwan. The strongSwan
configuration is

   leftcert=carolCert.pem
   leftid=carol at strongswan.org

or simply

   leftcert=carolCert.pem

If leftid is missing then left, i.e. the IP address is chosen by
default for leftid but since the IP address usually is not
contained as a subjectAltName in the certificate, the fallback
is for leftid to assume the value of the subject Distinguished
Name as e.g.

   leftid="C=CH, O=strongSwan, CN=carol at strongswan.org"

Regards

Andreas

On 15.07.2013 12:38, Daniel Pocock wrote:
>
>
> Hi,
>
> I notice the ipsec.conf man page found in Google states that %fromcert
> uses the DN:
>
> http://linux.die.net/man/5/ipsec.conf
>
> while the wiki page doesn't mention %fromcert but talks about "%":
>
> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>
> Can somebody clarify this?  In particular, if there is both a DN and one
> or more subjectAltName values, how does it choose which one to send?
> Will it try them all?
>
> Regards,
>
> Daniel
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130715/a441c457/attachment.bin>


More information about the Users mailing list