'[strongSwan] =?utf-8?q?Cannot_set_ID_to_FQDN_with_certificate_loa?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] =?utf-8?q?Cannot_set_ID_to_FQDN_with_certificate_loa?=
From:       <strongswan () dinplug ! com>
Date:       2008-08-06 15:28:08
Message-ID: 20080806152808.28999.qmail () thehosting123 ! com
[Download RAW message or body]

Hi everyone,

I am trying to setup a GW which will use certs to authenticate it's self and EAP for \
the peer (RW) authentication. I created my own self signed cert (see details below) \
and included the subjectAltName=FQDN but cannot get rid of the strongSwan error \
message: 03[CFG]   peerid sgw.myco.com not confirmed by certificate, defaulting to \
subject DN

I also tried to set the subjectAltName to DNS:FQDN but this did not help.

I want the IDr in the AUTH to be of type ID_FQDN not ID_DER_ASN1_DN as it is at the \
moment.

Can anyone help?

Many thanks,

Ian.

01[DMN] starting charon (strongSwan Version 4.2.5)
01[KNL] listening on interfaces:
01[KNL]   eth0
01[KNL]     192.168.50.135
01[KNL]     fe80::215:c5ff:feaf:3d4d
01[KNL]   dummy0
01[KNL]     10.10.1.1
01[KNL]     fe80::d4c3:1dff:fef1:73d8
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG]   loaded private key file '/usr/src/ca/sslcert/private/cakey.pem'
01[JOB] spawning 16 worker threads
> charon (3363) started
03[CFG] received stroke: add connection 'rw-eapsim'
03[LIB]   loaded certificate file '/usr/src/ca/sslcert/cacert.pem'
03[CFG]   peerid sgw.myco.com not confirmed by certificate, defaulting to subject DN
03[CFG] added configuration 'rw-eapsim': 192.168.50.135[O=MyCo Ltd, OU=SW, L=Swindon, \
ST=Wiltshire, C=GB, CN=sgw.myco.com, \
subjectAltName=sgw.myco.com]...0.0.0.0[*@outandabout.com]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c0:5d:ee:59:86:37:6e:19
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, \
CN=sgw.myco.com/subjectAltName=sgw.myco.com  Validity
            Not Before: Aug  6 15:38:54 2008 GMT
            Not After : Aug  6 15:38:54 2009 GMT
        Subject: O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, \
CN=sgw.myco.com/subjectAltName=sgw.myco.com  Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c9:00:84:cd:30:ce:90:84:51:19:5a:ec:68:e8:
                    60:f7:9b:e1:79:a9:a9:0b:2c:99:28:1f:96:15:13:
                    76:61:88:42:3f:a6:dc:d9:f9:87:38:7f:62:9a:f5:
                    e8:9c:01:94:a0:3e:07:b4:94:00:9d:bc:4b:5d:3a:
                    6e:0b:f5:d0:fd:23:77:fb:c3:d8:96:c9:54:06:f3:
                    a0:76:bf:c7:17:94:dd:56:b8:cb:4c:d8:e8:89:35:
                    ff:16:57:16:5d:f7:59:a7:cf:77:a4:bd:d2:c2:88:
                    36:36:79:52:48:8c:30:c4:12:a5:b6:0f:27:8d:43:
                    d5:7e:59:c7:db:32:57:a4:51
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Subject Key Identifier:
                88:89:45:FC:10:82:A4:9D:8D:A1:B3:0C:13:0F:50:AD:5A:88:F5:BA
            X509v3 Authority Key Identifier:
                keyid:88:89:45:FC:10:82:A4:9D:8D:A1:B3:0C:13:0F:50:AD:5A:88:F5:BA
                DirName:/O=MyCo \
Ltd/OU=SW/L=Swindon/ST=Wiltshire/C=GB/CN=sgw.myco.com/subjectAltName=sgw.myco.com  \
serial:C0:5D:EE:59:86:37:6E:19

    Signature Algorithm: md5WithRSAEncryption
        54:b4:ed:93:3c:9d:08:07:03:6b:91:7b:cc:42:ea:c2:f9:c8:
        83:19:72:0a:77:59:52:1a:82:b4:0a:9f:21:1b:c1:04:e0:b4:
        66:eb:7f:10:ef:eb:c5:71:74:97:5e:51:02:d8:b5:95:bd:6f:
        a7:5c:52:1e:ed:86:a2:8a:8b:da:ab:6c:a0:98:1f:5b:51:e6:
        46:fe:6a:a5:6f:a3:a1:70:61:fa:ce:0e:a5:8e:b0:c2:46:3f:
        49:a0:23:65:0d:5f:e8:9e:eb:4e:4e:2e:b2:e5:f6:e0:2c:fd:
        77:0e:3c:4d:1d:a0:76:9a:78:b8:b5:1f:43:c1:e2:c8:89:ab:
        34:0a

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
	plutodebug=all
	charondebug=all
	strictcrlpolicy=no
	nat_traversal=yes
	plutostart=no

conn %default
	ikelifetime`m
	keylife m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn rw-eapsim
	authby=rsasig
	eap=sim
	left2.168.50.135
	leftsubnet.10.0.0/16
	leftcert=/usr/src/ca/sslcert/cacert.pem
	leftid=@sgw.myco.com
	right=%any
	rightid=*@outandabout.com
	rightsendcert=never
	autod
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread] 