Hi, I don't know how your VPN clients behave, but a strongSwan client never matches a Common Name Relative Distinguished Name (RDN)
CN=vpn.foo.com which is part of a subject DN with an IKE IDr of vpn.foo.com, but does so with subjectAltName X.509v3 certificate extensions. Actually you could try to add multiple CN RDNs --dn "C=CH, O=strongSwan, CN=vpn.foo.com, CN=vpn.bar.com" which is totally ok with subject DNs. Regards Andreas On 18.12.2012 21:46, kgardenia42 wrote:
On Tue, Dec 18, 2012 at 6:09 PM, Andreas Steffen <[email protected]> wrote:Hi, while generating your server certificate you can add multiple subjectAltNames: ipsec pki --issue ... --san "vpn.foo.com" --san "vpn.bar.com"If I generate the server cert as per here: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29 Then the hostname is also baked into the "-dn" option. Example: --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" In the above case can how does vpn.foo.com being baked into the --dn affect my ability to add an extra --san of vpn.bar.com? Do I need multiple --dn options also? Or is it an option to not have an explicit --dn with the server hostname baked into the --dn?If your clients are requesting different IDr identities then you must define two connections conn foo also=server leftid=vpn.foo.com auto=add conn bar also=server leftid=vpn.bar.com auto=add conn server rightid=%any ... # all other parameters leftcert=serverCert.pemGood information. Thanks.On 18.12.2012 17:03, kgardenia42 wrote:Hi, wrt. to this guide: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) I have created my server cert for vpn.foo.com as outlined: ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert s.pem --cakey caKey.pem \ --dn "C=CH, O=strongSwan, CN=vpn.foo.com" --san="vpn.foo.com" \ --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem However, I want the *same* VPN server to be accessible by clients as *both* vpn.foo.com and vpn.bar.com then how can I accomplish this? Do I need a server cert and traffic selector for each one? Or is it somehow possible to hang both hostnames off the same server cert (preferred)? If I need two server certs then can they both use the same CA? I assumed so but when I try the above there seems to be some ambiguity over which traffic selector is selected (well it appears to be the first one in ipsec.conf). Is there a known gotcha there or have I just missed something? If so I'll start from scratch. Thanks.
====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
