Hi, > the DHCP Request’s Client Identifier field is set to the DER ASN1 DN > identifier of the client. I expected to see the FQDN in this field so > that it could be used for pre-configured static assignment in the DHCP > server’s configuration file.
The identity used in the Client Identifier is the one the IKE peer used to authenticate itself in the IKE IDi payload (C=US, O=Sample, CN=rw1.sample.org). This is the case for all IP pool backends. While we could use another identity from the certificate, this is tricky: Which one should we choose if there are multiple types, or even multiple subjectAltNames for the same type? The Android client authenticates itself with the certificate subject when using certificate authentication, wich is a full Distinguished Name. @Tobias, there is currently no way to change that, right? > I also attached rightid_dns showing the failure of the SA establishment if > rightid is set to the DNS of the client. If the rightid is set this way, the identity the client uses does not match anymore to your server connection. The peer gets rejected. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
