[strongSwan] understanding %fromcert
Daniel Pocock
daniel at pocock.com.au
Mon Jul 15 13:25:45 CEST 2013
On 15/07/13 12:51, Andreas Steffen wrote:
> Hello Daniel,
>
> leftid=%fromcert
>
> is an OpenSwan option not supported by strongSwan. The strongSwan
> configuration is
>
> leftcert=carolCert.pem
> leftid=carol at strongswan.org
>
> or simply
>
> leftcert=carolCert.pem
>
> If leftid is missing then left, i.e. the IP address is chosen by
> default for leftid but since the IP address usually is not
> contained as a subjectAltName in the certificate, the fallback
> is for leftid to assume the value of the subject Distinguished
> Name as e.g.
>
> leftid="C=CH, O=strongSwan, CN=carol at strongswan.org"
So the subjectAltName will only be used if
a) leftid=@hostname.example.org and
b) hostname.example.org is in the subjectAltName in the cert?
Do you think it would be useful to add some explicit variables for this,
e.g. allowing users to specify:
leftid=%dn,%san
or
leftid=%san,%dn
More information about the Users
mailing list