[strongSwan] defining a connection profile using DNS name in the cert's alt subject name cert field

FINLEY, DAVID BRIAN df1672 at att.com
Thu May 27 16:12:11 CEST 2021


Noel, please let me know if you've had any further thoughts on this.
thx

Dave Finley
df1672 at att.com
(630) 719-4391  (desk)
(630) 740-5198  (mobile)

-----Original Message-----
From: FINLEY, DAVID BRIAN 
Sent: Wednesday, May 19, 2021 11:02 AM
To: Noel Kuntze <noel.kuntze at thermi.consulting>
Subject: RE: [strongSwan] defining a connection profile using DNS name in the cert's alt subject name cert field

Hi Noel, did you have a chance to review the charon log file that I attached, to see if we can figure out what the "id =" scheme doesn't seem to work with the subject Alt name from the client cert?
thx

Dave Finley
df1672 at att.com
(630) 719-4391  (desk)
(630) 740-5198  (mobile)

-----Original Message-----
From: FINLEY, DAVID BRIAN 
Sent: Monday, May 10, 2021 10:20 AM
To: Noel Kuntze <noel.kuntze at thermi.consulting>
Subject: RE: [strongSwan] defining a connection profile using DNS name in the cert's alt subject name cert field

I set my charon-logging.conf file up to match whats on the Wiki page, although it seems like what I have now is less verbose than before. Anyway, the settings I used were:

filelog {
        charon-systemd {
                    path = /var/log/charon_debug.log
                    time_format = %a, %Y-%m-%d, %H:%M:%S
                    default = 2
                    mgr = 0
                    net = 1
                    enc = 1
                    asn = 1
                    job = 1
                    ike_name = yes
                    append = no
                    flush_line = yes
        }
    }

Thanks.

Dave Finley
df1672 at att.com
(630) 719-4391  (desk)
(630) 740-5198  (mobile)

-----Original Message-----
From: Noel Kuntze <noel.kuntze at thermi.consulting> 
Sent: Saturday, May 08, 2021 3:09 AM
To: FINLEY, DAVID BRIAN <df1672 at att.com>
Subject: Re: [strongSwan] defining a connection profile using DNS name in the cert's alt subject name cert field

Hi,

The cert looks okay, the log contains nothing useful though.
Please create logs using the settings on the HelpRequests[1] page on the wiki.
Those will then contain useful information.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 06.05.21 um 16:26 schrieb FINLEY, DAVID BRIAN:
> Forgot that our mail server probably wouldn't allow that crt file through, renamed it as txt this time. Also attached the charon.log file from the connection failure with msg level turned up to 4. I search for "looking for" when I want to go right to the point in the log where the profile lookup is attempted and then fails.
> thx
>
> Dave Finley
> df1672 at att.com
> (630) 719-4391  (desk)
> (630) 740-5198  (mobile)
>
> -----Original Message-----
> From: Noel Kuntze <noel.kuntze at thermi.consulting>
> Sent: Wednesday, May 05, 2021 6:08 PM
> To: FINLEY, DAVID BRIAN <df1672 at att.com>
> Subject: Re: [strongSwan] defining a connection profile using DNS name in the cert's alt subject name cert field
>
> Hi,
>
> Your mailserver's security solution removed the certificate.
> Config looks okay though.
> The right syntax is described on the man page for swanctl.conf and you basically already tried it all.
> Please get me the certificate and logs somehow.
> Logs show you what happens for what reason.
>
> Kind regards
> Noel
>
> Am 05.05.21 um 22:33 schrieb FINLEY, DAVID BRIAN:
>> Noel,
>> I attached the swanctl.conf file from both the client and the server. I
> also attached the cert being used by the client so that you can see what the subject Alt name value is, if that's useful.
>> thx
>>
>> Dave Finley
>> df1672 at att.com
>> (630) 719-4391  (desk)
>> (630) 740-5198  (mobile)
>>
>> -----Original Message-----
>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
>> Sent: Wednesday, May 05, 2021 2:00 PM
>> To: FINLEY, DAVID BRIAN <df1672 at att.com>; Users at lists.strongswan.org
>> Subject: Re: [strongSwan] defining a connection profile using DNS name 
in the cert's alt subject name cert field
>>
>> Hi,
>>
>> Please show your whole config and complete logs.
>>
>> Kind regards
>> Noel
>>
>> Am 05.05.21 um 20:13 schrieb FINLEY, DAVID BRIAN:
>>> *Hello,*
>>>
>>> **
>>>
>>> *I have ipsec clients using strongswan that are connecting to a strongswan server and want to setup connection profiles based on info in the subject Alt name string in each clients certificate. The subject Alt name in
>> the client cert looks like this:*
>>> **
>>>
>>> *X509v3 Subject Alternative Name:*
>>>
>>> *                DNS:zakr3dsegw51.epc.mnc100.mcc313.3gppnetwork.org*
>>>
>>> **
>>>
>>> *I've tried every variation I can think of using the "id = " parm in
> swanctl.conf on the server and I cannot seem to get the strongswan server
> to recognize/match on the subject Alt name in the clients cert. I've tried values including:*
>>> **
>>>
>>> *id = DNS: zakr3dsegw51.epc.mnc100.mcc313.3gppnetwork.org*
>>>
>>> *id = zakr3dsegw51.epc.mnc100.mcc313.3gppnetwork.org*
>>>
>>> *id = FQDN: zakr3dsegw51.epc.mnc100.mcc313.3gppnetwork.org*
>>>
>>> *id = @ zakr3dsegw51.epc.mnc100.mcc313.3gppnetwork.org*
>>>
>>> *and others.*
>>>
>>> **
>>>
>>> *Any suggestions?*
>>>
>>> *Thx in advance. *
>>>
>>> **
>>>
>>> Dave Finley
>>>
>>> df1672 at att.com <mailto:df1672 at att.com>
>>>
>>> (630) 719-4391  (desk)**
>>>
>>> (630) 740-5198  (mobile)
>>>
>




More information about the Users mailing list