[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Tuomo Soini tis at foobar.fi
Tue Jun 11 11:34:19 UTC 2019

On Tue, 11 Jun 2019 20:40:59 +1000
"Ian Dobson" <ird at oob.id.au> wrote:

>  I have found a work-around: by modifying the 'conn vpn' section:
>   replace
>         leftid=@vpn.oob.id.au
>   with
>         leftid="C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
> CN=vpn.oob.id.au"
> everything seems to work.
> But I don't understand why this is necessary, as the vpn.oob.id.au
> certificate has CN "vpn.oob.id.au" and X509v3 SAN "DNS:vpn.oob.id.au".
> None of the documentation & examples I have seen references a need to
> quote the full Subject in the leftid.

CN is not valid for ID_FQDN. Only SAN is. You can only use
ID_DER_ASN1_DN (subject of the certificate) as id type if you don't
have SubjectAltName with type DNS for use as ID_FQDN. CN= is just a
field of the subject, not used for FQDN.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan mailing list