Hello Martin, Thank you for your answer – it was very helpful. It would be useful if the identifier the client uses to authenticate itself could be changed. However, I now understand that I will need to handle the variability of the peer identifiers to use DHCP static address assignment.
Best Regards, gs On Wed, Feb 13, 2013 at 4:40 AM, Martin Willi <[email protected]> wrote: > Hi, > > > the DHCP Request’s Client Identifier field is set to the DER ASN1 DN > > identifier of the client. I expected to see the FQDN in this field so > > that it could be used for pre-configured static assignment in the DHCP > > server’s configuration file. > > The identity used in the Client Identifier is the one the IKE peer used > to authenticate itself in the IKE IDi payload (C=US, O=Sample, > CN=rw1.sample.org). This is the case for all IP pool backends. While we > could use another identity from the certificate, this is tricky: Which > one should we choose if there are multiple types, or even multiple > subjectAltNames for the same type? > > The Android client authenticates itself with the certificate subject > when using certificate authentication, wich is a full Distinguished > Name. > > @Tobias, there is currently no way to change that, right? > > > I also attached rightid_dns showing the failure of the SA establishment > if > > rightid is set to the DNS of the client. > > If the rightid is set this way, the identity the client uses does not > match anymore to your server connection. The peer gets rejected. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
