[strongSwan] allowing multiple OU

Martin Willi martin at strongswan.org
Fri Mar 21 16:30:36 CET 2014


> Is there a way to allow servers with valid certs and 
> OU=Servers_vpngateway2 and ignore all other (there may be one, two, 
> three, four, etc) OU's that is not writing conn definitions for all the 
> different combinations?

No, unfortunately DN matching is limited to strict RDN sequences, where
single RDNs may equal to '*' for a wildcard match. The type, count and
order of RDNs must be equal in the matching template and the identity.

So unless you have some usable subjectAltNames in your certificates, you
will need distinct connection definitions. Of course you may
alternatively match to %any, associated CA certificates or even
certificate policies, but not sure if that is applicable to your setup.


More information about the Users mailing list