LAURIA Giuseppe giuseppe.lauria at axa-winterthur.ch
Fri Feb 1 09:12:28 UTC 2019

Hi Paul.

Thank you very much.

Now the problem is I re used the server certificate of this application to use it also as ipsec certificate.

So either I should order the DNS-Alias to match the <CN-of-LB-Alias-which-does-not-yet-exist>.
Or I should order new certificates . I think I order the new certificates.

What is best practice , to have just the 'ipsec' own certificate ? And not to reuse application ( server ) certificates ? 

And would you use the dns-alias or the hostname of the box ? The dns-alias is somewhat 'readable', whereas the hostname is cryptic in our company. ( Eg Alias = 'cherryCloudProd1.<domain>' vs hostname = 'fhcs201a.<domain>' )

We would prefer to use the Alias, but if best practice is hostname I think I would order the new certificate containing the hostname.

Thank you very much.

Best regards.

-----Ursprüngliche Nachricht-----
Von: Paul Wouters <paul at nohats.ca> 
Gesendet: Donnerstag, 31. Januar 2019 19:21
An: LAURIA Giuseppe <giuseppe.lauria at axa-winterthur.ch>
Cc: swan at lists.libreswan.org

On Thu, 31 Jan 2019, LAURIA Giuseppe wrote:

> We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.

> Left: RHEL 7.6 ( SELinux set to Permissive ) libreswan version: 
> libreswan-3.25-2.el7.x86_64

> Right: RHEL 6.10
> Libreswan version : libreswan-3.15-7.5.el6_9.x86_64

> I have to say that the left certificate has a CN which contains an 
> left-server-alias for Loadbalancer, which is not yet in place. But the certificate has also a SAN list which contains the correct hostname.
> But if libreswan ignores SAN and checks for the exact entry in the first DN than this will fail.
> Can you say whether libreswan checks also for the SAN entries ?

libreswan does check SAN entries, but 3.15 is very old and does not have all the flexibility of recent libreswan's with respect to certificates.

> Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'

I would recommend using the full DN for the leftid/rightid to avoid the subjectAltNames altogether.


More information about the Swan mailing list