[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Ian Dobson ird at oob.id.au
Tue Jun 11 12:39:32 UTC 2019


> CN is not valid for ID_FQDN. Only SAN is. You can only use ID_DER_ASN1_DN
> (subject of the certificate) as id type if you don't have SubjectAltName
> with type DNS for use as ID_FQDN. CN= is just a field of the subject,
not > used for FQDN.

Sorry, that seems opposite to what I am experiencing.

As stated above, I *do* have SubjectAltName with type DNS for use as the
ID_FQDN. Certificate for vpn.oob.id.au says:

            X509v3 Subject Alternative Name:
                DNS:vpn.oob.id.au

But if I use "leftid=@vpn.oob.id.au" in the conn section to match the
peer, then libreswan initially matches this conn then switches away from
this to another conn block which is less specific (roadwarrior conn, which
allows any certificate signed by the same CA as the local end's
certificate, as per configs shown in my original post)

However if I use the ID_DER_ASN1_DN subject string as the leftid then
libreswan does match the conn correctly.

Ian




More information about the Swan mailing list