[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Tuomo Soini tis at foobar.fi
Tue Jun 11 14:53:12 UTC 2019

On Tue, 11 Jun 2019 22:39:32 +1000
"Ian Dobson" <ird at oob.id.au> wrote:

> As stated above, I *do* have SubjectAltName with type DNS for use as
> the ID_FQDN. Certificate for vpn.oob.id.au says:
>             X509v3 Subject Alternative Name:
>                 DNS:vpn.oob.id.au
> But if I use "leftid=@vpn.oob.id.au" in the conn section to match the
> peer, then libreswan initially matches this conn then switches away
> from this to another conn block which is less specific (roadwarrior
> conn, which allows any certificate signed by the same CA as the local
> end's certificate, as per configs shown in my original post)
> However if I use the ID_DER_ASN1_DN subject string as the leftid then
> libreswan does match the conn correctly.

That would be a bug. But if you want that to be fixed you'd need to
test with 3.29 first because there are significant changes since 3.25

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan mailing list