On Tue, 11 Jun 2019 20:40:59 +1000 "Ian Dobson" <[email protected]> wrote:
> I have found a work-around: by modifying the 'conn vpn' section: > > replace > [email protected] > with > leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB, > CN=vpn.oob.id.au" > > everything seems to work. > > > But I don't understand why this is necessary, as the vpn.oob.id.au > certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au". > None of the documentation & examples I have seen references a need to > quote the full Subject in the leftid. CN is not valid for ID_FQDN. Only SAN is. You can only use ID_DER_ASN1_DN (subject of the certificate) as id type if you don't have SubjectAltName with type DNS for use as ID_FQDN. CN= is just a field of the subject, not used for FQDN. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
