[strongSwan] Discrepancy in distinguished name for x.509 authentication

Yogesh Purohit yogeshpurohit2 at gmail.com
Thu Jan 17 10:50:10 CET 2019

Hi All,

I am facing an issue in strongswan while establishing a tunnel using public
key authentication. I am using strongswan ikev2 version for both as
initiator and responder both.

I generated an certificate using openssl which has Subject as:

Subject: *C=ya, ST=mh, L=june, O=hare, OU=ya,
CN=myserver/emailAddress=myserver at gmail.com <myserver at gmail.com>*

so while configuring in ipsec.conf this as rightid, i configured in

myserver at gmail.com"

The tunnel didn't come up.

When I debugged in the log, I found no peer found as.
Strongswan received peerid as:
"*C=ya,ST=mh,L=june,O=hare,OU=ya,CN=myserver,E=myserver at gmail.com
<myserver at gmail.com>*"
whereas I had configured it as  "
C=ya,ST=mh,L=june,O=hare,OU=ya,CN=myserver,emailAddress=myserver at gmail.com"

because when I used to '*openssl x509 -in server.crt -text*' subject string
comes as:

Subject: C=ya, ST=mh, L=june, O=hare, OU=ya, CN=myserver/emailAddress=
myserver at gmail.com

so I tried configuring right id as strongswan is expecting, and tunnel was

So why is strongswan not using complete '*emailAddress*' field of Subject
distinguished name and only '*E*' instead ?

Best Regards,

Yogesh Purohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190117/6a9771c4/attachment.html>

More information about the Users mailing list