Hi Robert, > How can we make the server decouple its leftid and its certificate as > in the sample ipsec.conf above?
The best way to let your gateway act with different identities, but the same certificate, is to use subjectAltNames. If your certificate contains subjectAltNames for all your gateway identities, the identity can be used for selecting a configuration. > Does this violate any specifications/standards? Yes, see [1]. There are serious security implications if the peer identity is decoupled from the certificate: The peer identity in the ID payload is used to lookup policies. If any certificate can be used to authenticate any identity, an attacker with any valid certificate (and the associated private key) can impersonate everybody else (e.g. a client can act as a gateway). You may try the patch at [2] and set the strongswan.conf option charon.cert_id_binding to no. However, do it only if you really understand the implications. Regards Martin [1]http://tools.ietf.org/html/rfc4945#section-3.1.2 [2]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7f03c277 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
