[strongSwan] Certificate-based IPsec tunnel failing to complete

[Regel, Julian (CSS)]

Hi Andreas

Thanks for the reply.

As per my other email to the list, the problem appears to be the format of the "id" value in the swanctl.conf.

Given that this is fixed by specifying the DN in the id parameter, does the subjectAltName actually get used and is it still important? Does it only apply if the peer device sends FQDN instead of DN?

Many thanks

Julian




-----Original Message-----
From: Andreas Steffen <andreas.steffen at strongswan.org>
Sent: 05 July 2019 10:50
To: Regel, Julian (CSS) <Julian.Regel at capita.co.uk>; users at lists.strongswan.org
Subject: Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

Hi Julian,

hmmm, the connection definition:

remote {
   auth = pubkey
   id = vpntest.MY_ORG.co.uk
}

lists the subjectAltName which is apparently contained in the certificate:

       X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:vpntest.$MY_ORG.co.uk

so the identity matching is supposed to work if there is no typo or some strange Unicode characters in the SAN.

Does the strongSwan swanctl --list-certs command list the SAN of the received peer certificate?

Would it be possible to send the peer certificate to me for closer inspection?

Best regards

Andreas


You are receiving this message from Capita Software. Should you wish to see how we may have collected or may use your information, or view ways to exercise your individual rights, see our Privacy Notice<https://www.capitasoftware.com/PrivacyNotice>


This email is security checked and subject to the disclaimer on web-page: http://www.capita.co.uk/email-disclaimer.aspx