Hi Ashish, when I carried out the test, I was thinking about an instance of strongSwan that only *responds* to connection setup requests. I did not have strongSwan *initiate* connections.
What you are basically saying to strongSwan is: "Initiate a connection to 10.10.10.2. Ignore the identity of the peer because I do not know it. But make sure that the peer has a valid certificate that is signed by a CA I trust." This kind of configuration is unusual in my opinion because you are trying to initiate a connection but you do not even know what the identity of the peer is. However, it makes sense to *respond* to requests from unknown peers because those requests might come from road warriors. I'm afraid that pluto simply does not support the kind of configuration you are thinking about. Charon apparently does support it. I do not know whether this is a limitation of the protocol (IKEv1) or the implementation (pluto). I suggest addressing the strongSwan core developers and ask if there is a way to overcome this limitations. -Daniel ashish mahalka wrote: > Hi Daniel, > > Yes, you are correct. I know the remote IP address but dont know the > DN of the remote peer. If I remember correctly, when using DN > wildcards, I was getting error which said > "cannot initiate connection with wildcards". I am using strongswan 4.3.4. > > Can you tell me what version of strongswan u r using ? Also, would it > be possible to establish the connection if we specify > rightid="/CN=*/", though the DN of the peer contains all the values( I > mean C, ST, O,...) > > If possible, can you please test on your setup, if specifying > rightid="C=*, ST=*, O=*, OU=*, CN=*, E=*" like this establishes the > connection. > > Thanks in advance! > > regards, > Ashish. > > On 1/19/10, Daniel Mentz <danielml+mailinglists.strongs...@sent.com> wrote: >> Hi Ashish, >> >> here are my test results: >> >> You can't use right=1.2.3.4 and right=%any at the same time i.e. you >> can't specify an IP address for the remote end and use %any for the ID. >> >> However, DN wildcards appear to work ok. I just spotted a typo in your >> original mail: >> >> rightid="C*, ST=*, O=*, OU=*, CN=*, E=*" >> >> You're missing a character there. It's should be: >> >> rightid="C=*, ST=*, O=*, OU=*, CN=*, E=*" >> >> >> I successfully tested it with a simpler pattern: >> >> rightid="/CN=*/" >> >> I should mention, though, that the certificate I'm using only has a >> Common Name (CN), no other RDNs. >> >> What I can read from your config files is that you do know the remote IP >> address but you do not know the DN of the peer. Is that correct? >> >> -Daniel >> _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
