The configurations below were at the responder side. After trying
different options at the initiator side changing the leftid I tracked
the issue or the behavior to how the default leftid is selected at the
initiator side. The documentation says that the leftid defaults to the
DN of the configured certificate. That is the case in most of my testing
even if I configure SAN fields, unless I configure a SAN field of type
IP address. The leftid in that case defaults to the IP address instead
if the DN. Is that to be expected?
Thanks,
Jafar
On 12/8/2017 2:27 PM, Jafar Al-Gharaibeh wrote:
I have two certificates
certA.pem with DN set to "CN=strongswan"
certB.pem with DN set to "CN=strongswan" and one san field set to
"IP:2.2.2.2"
If I use certA.pem in a config like the following, it works (i.e I can
get the connection up and running):
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certA.pem
rightid="CN=strongswan"
If I switch to use certB.pem then it fails if everything else stays
the same even though the DN is exactly the same.:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid="CN=strongswan"
If I change the rightid to the match the IP address in the san field
then it works again:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid=2.2.2.2
It is as if the san field is present then it is preferred over the DN
and it is the only one matched. The documentation of left/rightid
says the id is matched against the DN OR any san field, but this is
not what I see in my setup. Is this expected ? What am I missing?
Thanks in advance,
Jafar
