[strongSwan] Calculating the generated MAC address when identity_lease is enabled

Tobias Brunner tobias at strongswan.org
Mon Apr 9 10:39:33 CEST 2018

Hi Micah,

> 1.  Can I configure the strongSwan server to force the clients to send
>     the FQDNs as identities?

No, that's a local decision.

> 2.  Alternatively, can I generate certificates differently to force the
>     clients to send the FQDNs as identities?

Not that I'm aware.

> 3.  Am I misreading the documentation about rightid=%fqdn? If so, what
>     is it intended to do?

It's mostly useful on clients to match the configured identity against
SANs in the server certificate if the server uses the subject DN as
identity.  It doesn't change the IKE identity the peer sends.

> 4.  Can I avoid using two conn sections for each user somehow?

If you want to match their identity, no.

> 5.  Even better, can I use a single conn section to match all users,
>     no matter their operating system, and enforce that they send their
>     client identifier to the DHCP server the same way?

Have a look at [1] for my suggestion to Harald (who had a similar
question) for a possible code modification to do this (i.e. get the
client certificate, extract the first dNSName SAN and then forward that
as host name in the DHCP request).


[1] https://wiki.strongswan.org/issues/2581

More information about the Users mailing list