No, you're probably doing something wrong. Configure logging with the configuration on the HelpRequests[1] page and read it after you did your testing.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 08.12.2017 23:13, Jafar Al-Gharaibeh wrote: > The configurations below were at the responder side. After trying different > options at the initiator side changing the leftid I tracked the issue or > the behavior to how the default leftid is selected at the initiator side. The > documentation says that the leftid defaults to the DN of the configured > certificate. That is the case in most of my testing even if I configure SAN > fields, unless I configure a SAN field of type IP address. The leftid in that > case defaults to the IP address instead if the DN. Is that to be expected? > > Thanks, > Jafar > > On 12/8/2017 2:27 PM, Jafar Al-Gharaibeh wrote: >> >> I have two certificates >> certA.pem with DN set to "CN=strongswan" >> certB.pem with DN set to "CN=strongswan" and one san field set to >> "IP:2.2.2.2" >> >> >> If I use certA.pem in a config like the following, it works (i.e I can get >> the connection up and running): >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certA.pem >> rightid="CN=strongswan" >> >> >> If I switch to use certB.pem then it fails if everything else stays the same >> even though the DN is exactly the same.: >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certB.pem >> rightid="CN=strongswan" >> >> >> If I change the rightid to the match the IP address in the san field then it >> works again: >> conn vpn >> left=1.1.1.1 >> right=2.2.2.2 >> rightcert=certB.pem >> rightid=2.2.2.2 >> >> >> It is as if the san field is present then it is preferred over the DN and >> it is the only one matched. The documentation of left/rightid says the id >> is matched against the DN OR any san field, but this is not what I see in my >> setup. Is this expected ? What am I missing? >> >> >> Thanks in advance, >> Jafar >> >> >> >> >
signature.asc
Description: OpenPGP digital signature
