[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)
andreas.steffen at strongsec.net
Wed Dec 14 23:55:10 CET 2005
Kevan Benson wrote:
> In trying to get certs configured, I'm running into a problem with getting
> wildcards working. If I specify the distinguished name entirely on both
> ends, it connects fine. If I specify a wildcard for a portion of the CN (all
> I'm trying to wildcard at this point), it fails with this error:
> we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example Co,
> CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares 'C=US,
> ST=California, L=Santa Rosa, O=Example Co, CN=test100.vpn.example.net,
> E=ca-admin at example.net'
By design the wildcard character '*' cannot be used to substitute only
a part of an RDN.
> If I specify the CN as a wildcard entirely (CN=*) I get this error:
> 031 "test100": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)
You cannot initiate a wildcarded connection! As Paul correctly points
out, it can be used in passive responder mode with right=%any only.
You find a working example under the link
> which logs on the other side and tcpdumps confirm isn't doing anything on the
> network (local configuration error I guess). Here's my config, other side is
> the same but called test200, with a subnet of 192.168.200.0/24, and without
> the wildcard (known working config).
> version 2.0 # conforms to second version of ipsec.conf specification
> conn %default
> conn test200
> rightid="C=US, ST=California, L=Santa Rosa, O=Example Co,
> CN=test200.vpn.example.net, E=ca-admin at example.net"
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> Both hosts have identical hardware and software, OS being CentOS 4.1.
> [root at test200 ~]# uname -a
> Linux test200.vpn.example.net 2.6.11-CT.0.4.VPN #7 Thu Oct 27 14:51:43 PDT
> 2005 i686 i686 i386 GNU/Linux
> This is a custom kernel built using the stock 2.6.11 sources and redhat's
> kernel config. Not patched for NAT-T, and I'm using KLIPS.
> BTW, what's considered the most stable kernel version to run at this point?
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users