Will do, and report any findings.
Thanks Noel.
--Jafar
On 12/9/2017 5:05 PM, Noel Kuntze wrote:
No, you're probably doing something wrong.
Configure logging with the configuration on the HelpRequests[1] page and read
it after you did your testing.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 08.12.2017 23:13, Jafar Al-Gharaibeh wrote:
The configurations below were at the responder side. After trying different
options at the initiator side changing the leftid I tracked the issue or the
behavior to how the default leftid is selected at the initiator side. The
documentation says that the leftid defaults to the DN of the configured
certificate. That is the case in most of my testing even if I configure SAN
fields, unless I configure a SAN field of type IP address. The leftid in that
case defaults to the IP address instead if the DN. Is that to be expected?
Thanks,
Jafar
On 12/8/2017 2:27 PM, Jafar Al-Gharaibeh wrote:
I have two certificates
certA.pem with DN set to "CN=strongswan"
certB.pem with DN set to "CN=strongswan" and one san field set to "IP:2.2.2.2"
If I use certA.pem in a config like the following, it works (i.e I can get the
connection up and running):
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certA.pem
rightid="CN=strongswan"
If I switch to use certB.pem then it fails if everything else stays the same
even though the DN is exactly the same.:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid="CN=strongswan"
If I change the rightid to the match the IP address in the san field then it
works again:
conn vpn
left=1.1.1.1
right=2.2.2.2
rightcert=certB.pem
rightid=2.2.2.2
It is as if the san field is present then it is preferred over the DN and it
is the only one matched. The documentation of left/rightid says the id is
matched against the DN OR any san field, but this is not what I see in my
setup. Is this expected ? What am I missing?
Thanks in advance,
Jafar
