[strongSwan] One to Many VPN (Host-Host)
infosec at quantum-equities.com
Mon Mar 19 19:16:40 CET 2018
On 03/19/2018 10:45 AM, Tobias Brunner wrote:
>> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is known outside as quantum-equities.com and the IPSec gateway is known in the LAN as cygnus.darkmatter.org.
> That syntax is not valid. Just use --san multiple times for each SAN
> (as the man page for pki --issue indicates).
Thanks, I'll redo the certs again.
>> I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.
> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
> proper RDN) and strongSwan's DN string parser does not support
> multi-value RDNs.
It sounds like I can't use multiple --dn's. When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org) and
outside (as quantum-equities.com), how can it prove that it's the right
machine if not DNS resolvable by checking CN=?
And how does the phone prove it is who it is in the Android app when its
IP changes and is not resolvable? The responder has to take its word
for it since it has the private key? If so, why is --san and --dn required?
>> # swanctl -L
>> # swanctl -l
>> (no response, for some reason)
> Yes, and that reason is: No config has been loaded. Did you run
> swanctl --load-conns (-c) or --load-all (-q)?
I haven't mentioned this, but I'm running CentOS7 which handles this in
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
... and yet I still have nothing with
# swanctl -L
# swanctl -l
Maybe this is the core of my problem with this horrid "/NO_PROPOSAL_CHOSEN/" in swanctl. That for some reason configs are not getting loaded?
No idea how to chase this down.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users