Hi, while generating your server certificate you can add multiple subjectAltNames:
ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"
If your clients are requesting different IDr identities then
you must define two connections
conn foo
also=server
leftid=vpn.foo.com
auto=add
conn bar
also=server
leftid=vpn.bar.com
auto=add
conn server
rightid=%any
... # all other parameters
leftcert=serverCert.pem
Regards
Andreas
On 18.12.2012 17:03, kgardenia42 wrote:
Hi,
wrt. to this guide:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
I have created my server cert for vpn.foo.com as outlined:
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
s.pem --cakey caKey.pem \
--dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \
--flag serverAuth --flag ikeIntermediate --outform pem >
serverCert.pem
However, I want the *same* VPN server to be accessible by clients as
*both* vpn.foo.com and vpn.bar.com then how can I accomplish this? Do
I need a server cert and traffic selector for each one?
Or is it somehow possible to hang both hostnames off the same server
cert (preferred)?
If I need two server certs then can they both use the same CA? I
assumed so but when I try the above there seems to be some ambiguity
over which traffic selector is selected (well it appears to be the
first one in ipsec.conf). Is there a known gotcha there or have I
just missed something? If so I'll start from scratch.
Thanks.
====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
