[strongSwan] One to Many VPN (Host-Host)

Tobias Brunner tobias at strongswan.org
Mon Mar 19 18:45:50 CET 2018


> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is known outside as quantum-equities.com and the IPSec gateway is known in the LAN as cygnus.darkmatter.org.

That syntax is not valid.  Just use --san multiple times for each SAN
(as the man page for pki --issue indicates).

> I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.

That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
proper RDN) and strongSwan's DN string parser does not support
multi-value RDNs.

> # swanctl -L
> # swanctl -l
> (no response, for some reason)

Yes, and that reason is:  No config has been loaded.  Did you run
swanctl --load-conns (-c) or --load-all (-q)?


More information about the Users mailing list