[strongSwan] One to Many VPN (Host-Host)

Tobias Brunner tobias at strongswan.org
Tue Mar 20 08:34:52 CET 2018


>>> I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.
>> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
>> proper RDN) and strongSwan's DN string parser does not support
>> multi-value RDNs.
> It sounds like I can't use multiple --dn's.

You can't, there is only a single subject DN in an X.509 certificate.

>  When my gateway must
> validate with machines inside the LAN (as cygnus.darkmatter.org) and
> outside (as quantum-equities.com), how can it prove that it's the right
> machine if not DNS resolvable by checking CN=? 

That's exactly what SANs are for and why you an use --san multiple times.

> And how does the phone prove it is who it is in the Android app when its
> IP changes and is not resolvable?  The responder has to take its word
> for it since it has the private key?  If so, why is --san and --dn required?

The server uses the trust chain to verify that the client certificate is
issued by a trusted CA certificate and checks the signature in the AUTH
payload that proves the client is in possession of the private key.  The
DN and SANs are used as identification of the clients (and you could
e.g. match them in different configs).

>>> # swanctl -L
>>> # swanctl -l
>>> (no response, for some reason)
>> Yes, and that reason is:  No config has been loaded.  Did you run
>> swanctl --load-conns (-c) or --load-all (-q)?
> I haven't mentioned this, but I'm running CentOS7 which handles this in
> systemd:
> ExecStart=/usr/sbin/charon-systemd
> ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
> ... and yet I still have nothing with

Then you obviously haven't added the connection configs to the right
file.  Did you add them to /etc/strongswan/swanctl/swanctl.conf?


More information about the Users mailing list