[strongSwan] PKCS#12 and leftid
Jacques Monin
jacques.monin01 at gmail.com
Mon May 11 14:31:15 CEST 2015
Hello,
I'm trying to use PKCS#12 format to stock cert, ca cert and keys. I managed
to have a configuration which is working fine but I would like more details
in order to improve it.
Here is my ipsec.conf :
config setup
conn %default
dpddelay=30
keyingtries=5
rekeymargin=120
dpdtimeout=120
keyexchange=ikev1
keylife=1h
ikelifetime=6h
authby=rsasig
conn Test
right=X.X.X.X
rightsubnet=172.16.1.0/24
rightid=%any
leftid=jacques.monin01 at gmail.com
left=%defaultroute
leftsubnet=172.16.0.3/32
leftsendcert=always
auto=route
type=tunnel
ike=aes256-sha2_256-modp1536
esp=aes256-sha2_256-modp1024
ipsec.secrets :
: P12 Test.p12 "test"
I managed to open a tunnel by using the certificate's altName for leftid
but I would like to use the subjet or the file path.
So here's my two questions :
1)
I know I can use leftid=subject in order to use the certificate loaded from
the P12 file but my cert subjet has accents and Strongswan doesn't seem to
find the certificate when the subjet has accent.
For example my certificate subjet is :
C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org, E=
jacques.monin01 at gmail.com
but when I do ipsec listall I have :
C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org, E=
jacques.monin01 at gmail.com
If I specify leftid="C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org,
E=jacques.monin01 at gmail.com", I can see in the logs :
"no private key found for 'C=FR, ST=R??gion Parisienne, L=Paris, OU=Org,
CN=1.Org, E=jacques.monin01 at gmail.com'"
How am I supposed to deal whit it ?
2)
I would rather specify which p12 the connection has to use.
Is there any way to specify in each connection configuration which p12 file
is supposed to be use ?
Thanks for helping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150511/58b9273f/attachment.html>
More information about the Users
mailing list