[strongSwan] dhcp plugin: mac address unpredictable?

Harald Dunkel harald.dunkel at aixigo.de
Thu Mar 20 13:27:53 CET 2014

Hi Andreas,

On 03/19/14 17:31, Andreas Steffen wrote:
> Hi Harri,
> the MAC address does not change if the new certificate
> has the same subjectDistinguishedName or subjectAlternativeName
> chosen as the IKEv2 ID.
> As an alternative you could explicitly register the client IKEv2 ID
> as a dhcp-client-identifier attribute with your DHCP server
> as in the following example scenario:
> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-client-id/console.log

If I got this right, then the dhcp-client-identifier is
supposed to be taken from either the CN or the DN in the
certificate. I tried both: The DHCP server doesn't

Looking at the DHCP discover packages sent by charon
(Wireshark) I do not see the CN, but some garbage (e.g.
a part from the OU and O entries). I see the mac address,


More information about the Users mailing list