[strongSwan] DN vs SAN fields

Jafar Al-Gharaibeh jafar at atcorp.com
Fri Dec 8 21:27:29 CET 2017


I have two certificates
certA.pem with DN set to "CN=strongswan"
certB.pem with DN set to "CN=strongswan" and one san field set to 
"IP:2.2.2.2"


If I use certA.pem in a config like the following, it works (i.e I can 
get the connection up and running):
conn vpn
    left=1.1.1.1
    right=2.2.2.2
    rightcert=certA.pem
rightid="CN=strongswan"


If I switch to use certB.pem then it fails if everything else stays the 
same even though the DN is exactly the same.:
conn vpn
    left=1.1.1.1
    right=2.2.2.2
    rightcert=certB.pem
    rightid="CN=strongswan"


If I change the rightid to the match the IP address in the san field 
then it works again:
conn vpn
    left=1.1.1.1
    right=2.2.2.2
rightcert=certB.pem
rightid=2.2.2.2


It is as if the san field is present  then it is preferred over the DN 
and  it is the only one matched.  The documentation of left/rightid says 
the id is matched against the DN OR any san field, but this is not what 
I see in my setup. Is this expected ? What am I missing?


Thanks in advance,
Jafar





More information about the Users mailing list