Re: [strongSwan] DN vs SAN fields
Will do, and report any findings. Thanks Noel. --Jafar On 12/9/2017 5:05 PM, Noel Kuntze wrote: No, you're probably doing something wrong. Configure logging with the configuration on the HelpRequests[1] page and read it after you did your testing. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 08.12.2017 23:13, Jafar Al-Gharaibeh wrote: The configurations below were at the responder side. After trying different options at the initiator side changing the leftid I tracked the issue or the behavior to how the default leftid is selected at the initiator side. The documentation says that the leftid defaults to the DN of the configured certificate. That is the case in most of my testing even if I configure SAN fields, unless I configure a SAN field of type IP address. The leftid in that case defaults to the IP address instead if the DN. Is that to be expected? Thanks, Jafar On 12/8/2017 2:27 PM, Jafar Al-Gharaibeh wrote: I have two certificates certA.pem with DN set to "CN=strongswan" certB.pem with DN set to "CN=strongswan" and one san field set to "IP:2.2.2.2" If I use certA.pem in a config like the following, it works (i.e I can get the connection up and running): conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certA.pem rightid="CN=strongswan" If I switch to use certB.pem then it fails if everything else stays the same even though the DN is exactly the same.: conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certB.pem rightid="CN=strongswan" If I change the rightid to the match the IP address in the san field then it works again: conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certB.pem rightid=2.2.2.2 It is as if the san field is present then it is preferred over the DN and it is the only one matched. The documentation of left/rightid says the id is matched against the DN OR any san field, but this is not what I see in my setup. Is this expected ? What am I missing? Thanks in advance, Jafar
Re: [strongSwan] DN vs SAN fields
No, you're probably doing something wrong. Configure logging with the configuration on the HelpRequests[1] page and read it after you did your testing. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 08.12.2017 23:13, Jafar Al-Gharaibeh wrote: > The configurations below were at the responder side. After trying different > options at the initiator side changing the leftid I tracked the issue or > the behavior to how the default leftid is selected at the initiator side. The > documentation says that the leftid defaults to the DN of the configured > certificate. That is the case in most of my testing even if I configure SAN > fields, unless I configure a SAN field of type IP address. The leftid in that > case defaults to the IP address instead if the DN. Is that to be expected? > > Thanks, > Jafar > > On 12/8/2017 2:27 PM, Jafar Al-Gharaibeh wrote: >> >> I have two certificates >> certA.pem with DN set to "CN=strongswan" >> certB.pem with DN set to "CN=strongswan" and one san field set to >> "IP:2.2.2.2" >> >> >> If I use certA.pem in a config like the following, it works (i.e I can get >> the connection up and running): >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certA.pem >> rightid="CN=strongswan" >> >> >> If I switch to use certB.pem then it fails if everything else stays the same >> even though the DN is exactly the same.: >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certB.pem >> rightid="CN=strongswan" >> >> >> If I change the rightid to the match the IP address in the san field then it >> works again: >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certB.pem >> rightid=2.2.2.2 >> >> >> It is as if the san field is present then it is preferred over the DN and >> it is the only one matched. The documentation of left/rightid says the id >> is matched against the DN OR any san field, but this is not what I see in my >> setup. Is this expected ? What am I missing? >> >> >> Thanks in advance, >> Jafar >> >> >> >> > signature.asc Description: OpenPGP digital signature
[strongSwan] DN vs SAN fields
I have two certificates certA.pem with DN set to "CN=strongswan" certB.pem with DN set to "CN=strongswan" and one san field set to "IP:2.2.2.2" If I use certA.pem in a config like the following, it works (i.e I can get the connection up and running): conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certA.pem rightid="CN=strongswan" If I switch to use certB.pem then it fails if everything else stays the same even though the DN is exactly the same.: conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certB.pem rightid="CN=strongswan" If I change the rightid to the match the IP address in the san field then it works again: conn vpn left=1.1.1.1 right=2.2.2.2 rightcert=certB.pem rightid=2.2.2.2 It is as if the san field is present then it is preferred over the DN and it is the only one matched. The documentation of left/rightid says the id is matched against the DN OR any san field, but this is not what I see in my setup. Is this expected ? What am I missing? Thanks in advance, Jafar
