[Swan] Possible to setup multiple connections, partly behind NAT?
Paul Wouters
paul at nohats.ca
Mon Feb 12 22:07:07 EET 2024
On Sat, 10 Feb 2024, Tuomo Soini via Swan wrote:
> On Fri, 9 Feb 2024 23:35:39 +0100
> Phil Nightowl via Swan <swan at lists.libreswan.org> wrote:
>
>> I am used to utilise X.509, so I have leftid=%fromcert everywhere.
>> Does the above mean that I should use something like
>>
>> right=%any
>> rightid="CN=*.privlan,O=MyOrg,C=CA" ?
>
> That won't work. Wildcard can only match whole label. So this would
> work:
> rightid="C=CA, O=MyOrg, CN=*"
The easiest is to use different OU='s, and you can have multiple OU='s
But remember to keep the RDN count the same for all certs, including its
CA.
wildcards only match for an entire RDN, so eg:
conn paid
rightid="C=CA, O=MyOrg, OU=PaidUsers, CN=*"
also=userbase
conn unpaid
rightid="C=CA, O=MyOrg, OU=FreeTier, CN=*"
also=userbase
conn userbase
[other params]
Paul
More information about the Swan
mailing list