[strongSwan] PKCS#12 and leftid

Martin Willi martin at strongswan.org
Mon May 11 14:48:04 CEST 2015


> 1) [...]
> For example my certificate subjet is :
> C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org, E=jacques.monin01 at gmail.com
> but when I do ipsec listall I have :
> C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org, E=jacques.monin01 at gmail.com

Converting Distinguished Names to strings is very conservative in
strongSwan, anything non-ASCII gets replaced by '?'. However, actually
comparing distinguished names is more flexible, as it is not done on
that converted string, but the ASN.1 encoding.

Specifying leftid correctly probably depends on your ipsec.conf encoding
and your locale.

> 2) I would rather specify which p12 the connection has to use.
> Is there any way to specify in each connection configuration which p12 file
> is supposed to be use ?

No, not for PKCS#12. You can enforce a plain certificate to use using
leftcert, and leftid gets replaced by the cert subject if it is not
contained in the cert as subjectAltName.

But this requires that you extract your PKCS#12 container and configure
the certificates and keys separately, as leftcert does not take


More information about the Users mailing list