On Tue, 11 Jun 2019 22:39:32 +1000 "Ian Dobson" <[email protected]> wrote:
> As stated above, I *do* have SubjectAltName with type DNS for use as > the ID_FQDN. Certificate for vpn.oob.id.au says: > > X509v3 Subject Alternative Name: > DNS:vpn.oob.id.au > > But if I use "[email protected]" in the conn section to match the > peer, then libreswan initially matches this conn then switches away > from this to another conn block which is less specific (roadwarrior > conn, which allows any certificate signed by the same CA as the local > end's certificate, as per configs shown in my original post) > > However if I use the ID_DER_ASN1_DN subject string as the leftid then > libreswan does match the conn correctly. That would be a bug. But if you want that to be fixed you'd need to test with 3.29 first because there are significant changes since 3.25 version. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
