[strongSwan] understanding %fromcert
Andreas Steffen
andreas.steffen at strongswan.org
Mon Jul 15 12:51:25 CEST 2013
Hello Daniel,
leftid=%fromcert
is an OpenSwan option not supported by strongSwan. The strongSwan
configuration is
leftcert=carolCert.pem
leftid=carol at strongswan.org
or simply
leftcert=carolCert.pem
If leftid is missing then left, i.e. the IP address is chosen by
default for leftid but since the IP address usually is not
contained as a subjectAltName in the certificate, the fallback
is for leftid to assume the value of the subject Distinguished
Name as e.g.
leftid="C=CH, O=strongSwan, CN=carol at strongswan.org"
Regards
Andreas
On 15.07.2013 12:38, Daniel Pocock wrote:
>
>
> Hi,
>
> I notice the ipsec.conf man page found in Google states that %fromcert
> uses the DN:
>
> http://linux.die.net/man/5/ipsec.conf
>
> while the wiki page doesn't mention %fromcert but talks about "%":
>
> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>
> Can somebody clarify this? In particular, if there is both a DN and one
> or more subjectAltName values, how does it choose which one to send?
> Will it try them all?
>
> Regards,
>
> Daniel
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130715/a441c457/attachment.bin>
More information about the Users
mailing list