On Thu, 31 Jan 2019, LAURIA Giuseppe wrote:
We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.
Left: RHEL 7.6 ( SELinux set to Permissive ) libreswan version: libreswan-3.25-2.el7.x86_64
Right: RHEL 6.10 Libreswan version : libreswan-3.15-7.5.el6_9.x86_64
I have to say that the left certificate has a CN which contains an left-server-alias for Loadbalancer, which is not yet in place. But the certificate has also a SAN list which contains the correct hostname. But if libreswan ignores SAN and checks for the exact entry in the first DN than this will fail. Can you say whether libreswan checks also for the SAN entries ?
libreswan does check SAN entries, but 3.15 is very old and does not have all the flexibility of recent libreswan's with respect to certificates.
Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
I would recommend using the full DN for the leftid/rightid to avoid the subjectAltNames altogether. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
