[Openswan Users] Wildcards in ID_DER_ASN1_DN (rightid)

Andreas Steffen andreas.steffen at strongsec.net
Wed Dec 14 23:55:10 CET 2005

Kevan Benson wrote:
> In trying to get certs configured, I'm running into a problem with getting 
> wildcards working.  If I specify the distinguished name entirely on both 
> ends, it connects fine.  If I specify a wildcard for a portion of the CN (all 
> I'm trying to wildcard at this point), it fails with this error:
> we require peer to have ID 'C=US, ST=California, L=Santa Rosa, O=Example Co, 
> CN=*.vpn.example.net, E=ca-admin at example.net', but peer declares 'C=US, 
> ST=California, L=Santa Rosa, O=Example Co, CN=test100.vpn.example.net, 
> E=ca-admin at example.net'

By design the wildcard character '*' cannot be used to substitute only
a part of an RDN.

> If I specify the CN as a wildcard entirely (CN=*) I get this error:
> 031 "test100": cannot initiate connection with ID wildcards (kind=CK_TEMPLATE)

You cannot initiate a wildcarded connection! As Paul correctly points
out, it can be used in passive responder mode with right=%any only.

You find a working example under the link


> which logs on the other side and tcpdumps confirm isn't doing anything on the 
> network (local configuration error I guess).  Here's my config, other side is 
> the same but called test200, with a subnet of, and without 
> the wildcard (known working config).
> version 2.0     # conforms to second version of ipsec.conf specification
> conn %default
>         left=
>         leftcert=test100.vpn.example.net.cert
>         leftrsasigkey=%cert
>         leftnexthop=%defaultroute
>         leftsubnet=
>         #dpdaction=hold
>         authby=rsasig
>         auto=add
> conn test200
>         right=
>         rightca=%same
>         rightid="C=US, ST=California, L=Santa Rosa, O=Example Co, 
> CN=test200.vpn.example.net, E=ca-admin at example.net"
>         rightrsasigkey=%cert
>         rightsubnet=
>         rightnexthop=%defaultroute
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> Both hosts have identical hardware and software, OS being CentOS 4.1.
> [root at test200 ~]# uname -a
> Linux test200.vpn.example.net 2.6.11-CT.0.4.VPN #7 Thu Oct 27 14:51:43 PDT 
> 2005 i686 i686 i386 GNU/Linux
> This is a custom kernel built using the stock 2.6.11 sources and redhat's 
> kernel config.  Not patched for NAT-T, and I'm using KLIPS.
> BTW, what's considered the most stable kernel version to run at this point?



Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list