[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Kevan Benson kbenson at a-1networks.com
Wed Dec 14 11:37:06 CET 2005 

In trying to get certs configured, I'm running into a problem with getting 
wildcards working.  If I specify the distinguished name entirely on both 
ends, it connects fine.  If I specify a wildcard for a portion of the CN (all 
I'm trying to wildcard at this point), it fails with this error:

we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example Co, 
CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares 'C=US, 
ST=California, L=Santa Rosa, O=Example Co, CN=test100.vpn.example.net, 
E=ca-admin at example.net'

If I specify the CN as a wildcard entirely (CN=*) I get this error:

031 "test100": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

which logs on the other side and tcpdumps confirm isn't doing anything on the 
network (local configuration error I guess).  Here's my config, other side is 
the same but called test200, with a subnet of 192.168.200.0/24, and without 
the wildcard (known working config).


version 2.0     # conforms to second version of ipsec.conf specification

conn %default
        left=192.168.167.100
        leftcert=test100.vpn.example.net.cert
        leftrsasigkey=%cert
        leftnexthop=%defaultroute
        leftsubnet=192.168.100.0/24
        #dpdaction=hold
        authby=rsasig
        auto=add

conn test200
        right=192.168.167.200
        rightca=%same
        rightid="C=US, ST=California, L=Santa Rosa, O=Example Co, 
CN=test200.vpn.example.net, E=ca-admin at example.net"
        rightrsasigkey=%cert
        rightsubnet=192.168.200.0/24
        rightnexthop=%defaultroute


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


Both hosts have identical hardware and software, OS being CentOS 4.1.
[root at test200 ~]# uname -a
Linux test200.vpn.example.net 2.6.11-CT.0.4.VPN #7 Thu Oct 27 14:51:43 PDT 
2005 i686 i686 i386 GNU/Linux
This is a custom kernel built using the stock 2.6.11 sources and redhat's 
kernel config.  Not patched for NAT-T, and I'm using KLIPS.

BTW, what's considered the most stable kernel version to run at this point?

-- 
Kevan Benson
A-1 Networks

More information about the Users mailing list