[strongSwan] Discrepancy in distinguished name for x.509 authentication
Yogesh Purohit
yogeshpurohit2 at gmail.com
Thu Jan 17 10:50:10 CET 2019
Hi All,
I am facing an issue in strongswan while establishing a tunnel using public
key authentication. I am using strongswan ikev2 version for both as
initiator and responder both.
I generated an certificate using openssl which has Subject as:
Subject: *C=ya, ST=mh, L=june, O=hare, OU=ya,
CN=myserver/emailAddress=myserver at gmail.com <myserver at gmail.com>*
so while configuring in ipsec.conf this as rightid, i configured in
ipsec.conf
rightid="C=ya,ST=mh,L=june,O=hare,OU=ya,CN=myserver,emailAddress=
myserver at gmail.com"
The tunnel didn't come up.
When I debugged in the log, I found no peer found as.
Strongswan received peerid as:
"*C=ya,ST=mh,L=june,O=hare,OU=ya,CN=myserver,E=myserver at gmail.com
<myserver at gmail.com>*"
whereas I had configured it as "
C=ya,ST=mh,L=june,O=hare,OU=ya,CN=myserver,emailAddress=myserver at gmail.com"
because when I used to '*openssl x509 -in server.crt -text*' subject string
comes as:
Subject: C=ya, ST=mh, L=june, O=hare, OU=ya, CN=myserver/emailAddress=
myserver at gmail.com
so I tried configuring right id as strongswan is expecting, and tunnel was
established.
So why is strongswan not using complete '*emailAddress*' field of Subject
distinguished name and only '*E*' instead ?
--
Best Regards,
Yogesh Purohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190117/6a9771c4/attachment.html>
More information about the Users
mailing list