[Swan] Selecting incorrect conn ID for incoming IKEv2 connection
Tuomo Soini
tis at foobar.fi
Tue Jun 11 11:34:19 UTC 2019
On Tue, 11 Jun 2019 20:40:59 +1000
"Ian Dobson" <ird at oob.id.au> wrote:
> I have found a work-around: by modifying the 'conn vpn' section:
>
> replace
> leftid=@vpn.oob.id.au
> with
> leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
> CN=vpn.oob.id.au"
>
> everything seems to work.
>
>
> But I don't understand why this is necessary, as the vpn.oob.id.au
> certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au".
> None of the documentation & examples I have seen references a need to
> quote the full Subject in the leftid.
CN is not valid for ID_FQDN. Only SAN is. You can only use
ID_DER_ASN1_DN (subject of the certificate) as id type if you don't
have SubjectAltName with type DNS for use as ID_FQDN. CN= is just a
field of the subject, not used for FQDN.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list