[strongSwan-dev] multiple OU's

[Banio]

I have a gateway setup with a ipsec.conf like this:

conn Servers_vpngateway2
    left=%defaultroute
    leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
    leftfirewall=yes
    leftsubnet=172.16.48.0/22
    right=%any
    rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
CN=*"
    rightsourceip=172.16.52.0/24
    auto=route
On this gateway I want to only allow those with a valid cert with 
OU=Servers_vpngateway2.  I have some servers that will also need to 
connect to  OU=Servers_vpngateway1, and in the future 
OU=Servers_vpngateway3, etc and thus have multiple OU's.

Now if I connect with a client with a cert like this it works:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
CN=test.domain.com

If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1, 
OU=Servers_vpngateway2, CN=test.domain.com

However if I change the ipsec.conf conn definition to the following it 
does work:

conn Servers_vpngateway2
    left=%defaultroute
    leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
    leftfirewall=yes
    leftsubnet=172.16.48.0/22
    right=%any
    rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway1, 
OU=Servers_vpngateway2, CN=*"
    rightsourceip=172.16.52.0/24
    auto=route

If I connect with a client like this it doesn't work:
C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
OU=Servers_vpngateway1, CN=test.domain.com


Likewise if I change the ipsec.conf conn definition to the following it 
does work:

conn Servers_vpngateway2
    left=%defaultroute
    leftcert=vpngateway2.domain.com_cert.pem
leftid=@vpngateway2.domain.com
    leftfirewall=yes
    leftsubnet=172.16.48.0/22
    right=%any
    rightid="C=US, ST=IL, L=Chicago, O=Company, OU=Servers_vpngateway2, 
OU=Servers_vpngateway1, CN=*"
    rightsourceip=172.16.52.0/24
    auto=route

Is there a way to allow servers with valid certs and 
OU=Servers_vpngateway2 and ignore all other (there may be one, two, 
three, four, etc) OU's that is not writing conn definitions for all the 
different combinations?
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev