[Swan] Using cert DN for connection matching

Tuomo Soini tis at foobar.fi
Sat Jan 29 17:51:18 EET 2022

On Fri, 28 Jan 2022 00:41:19 +0100
Jan Koriťák <jenda at pudr.com> wrote:

> Hello,
> I was trying to have two different address pools for clients based on
> info in certificate DN.
> I did this by configuring two basically identical connections, just
> with different rightaddresspool and rightid.
> conn ikev2-cp-static

>   rightid="CN=static,O=IKEv2 VPN"
> conn ikev2-cp-others

>   rightid="CN=vpnclient,O=IKEv2 VPN"

For others you want rightid=%fromcert so it matches all valid
certificates. Or rightid="CN=*,O=IKEv2 VPN"

> This however didn't do what I wanted, because no matter which cert I
> have used on the client, the "ikev2-cp-static" connection was always
> matched on the server (and subsequently failed on certificate auth in
> case I used the cert with CN=vpnclient).

Note: ALL fields in certificate subject must be present in
configuration for it to match at all. So if you have
rightid="CN=*,O=IKEv2 VPN" and certificate has "CN=testclient" this
can't match. Or other way around if certificate has more fields it
doesn't match either.

Also note you need one certificate per road warrior. So same
certificate can't be used on multiple road warriors (some call these
clients but in IPsec terminology is different).

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan mailing list