[strongSwan] DN vs SAN fields
Jafar Al-Gharaibeh
jafar at atcorp.com
Fri Dec 8 21:27:29 CET 2017
I have two certificates
certA.pem with DN set to "CN=strongswan"
certB.pem with DN set to "CN=strongswan" and one san field set to
"IP:2.2.2.2"
If I use certA.pem in a config like the following, it works (i.e I can
get the connection up and running):
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certA.pem
rightid="CN=strongswan"
If I switch to use certB.pem then it fails if everything else stays the
same even though the DN is exactly the same.:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid="CN=strongswan"
If I change the rightid to the match the IP address in the san field
then it works again:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid=2.2.2.2
It is as if the san field is present then it is preferred over the DN
and it is the only one matched. The documentation of left/rightid says
the id is matched against the DN OR any san field, but this is not what
I see in my setup. Is this expected ? What am I missing?
Thanks in advance,
Jafar
More information about the Users
mailing list