Paul Wouters paul at nohats.ca
Thu Jan 31 18:20:43 UTC 2019

On Thu, 31 Jan 2019, LAURIA Giuseppe wrote:

> We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.

> Left: RHEL 7.6 ( SELinux set to Permissive )
> libreswan version: libreswan-3.25-2.el7.x86_64

> Right: RHEL 6.10
> Libreswan version : libreswan-3.15-7.5.el6_9.x86_64

> I have to say that the left certificate has a CN which contains an left-server-alias for Loadbalancer, which is not yet in place. But the certificate has also a SAN list
> which contains the correct hostname.
> But if libreswan ignores SAN and checks for the exact entry in the first DN than this will fail.
> Can you say whether libreswan checks also for the SAN entries ?

libreswan does check SAN entries, but 3.15 is very old and does not have
all the flexibility of recent libreswan's with respect to certificates.

> Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'

I would recommend using the full DN for the leftid/rightid to avoid the
subjectAltNames altogether.


More information about the Swan mailing list