Hi Andreas, > I would like to let the clients authenticate > themselves with previously issued certificates that contains an email > address in the subjectAlternativeName (or that have no > subjectAlternativeName at all).
> 01[TLS] no trusted certificate found for '141.99.152.189' to verify TLS peer Charon uses the same cert chain validation in TLS as in traditional IKEv2 certificate validation. This validator is a little more strict than other TLS stacks in that it requires the peers identity to be contained as subject or as subjectAltName in the certificate. Having just the peers identity as CN in the DN is not sufficient. The peer must either use the full DN of the certificate or one of the subjectAltNames as identity. You can specify the IKEv2 identity in ipsec.conf as leftid. If you use an additional EAP-Identity exchange (initiated by the server with eap_identity=%identity), you can specify the EAP-Identity with [email protected] on the client. Don't forget to --enable-eap-identity during configure, as this EAP-Identity exchange requires an additional plugin. > I just want to check if that client's certificate is issued by > a certain CA (and maybe has a certain field in the DN). Yes, this should be no problem. But the client must authenticate with an identity that is contained in the certificate. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
