Hi Realy thanks for your attention and complete reply. Then,according to your explanation it's better that i set SubjectAltName instead of DN,is that true? In prevoius mail,you told if I do not set leftid or my cerificate does not contain DN or SubjectAltName,then one default value will be selected,ok,but what is this value? another question is, Can I set "rightcert" instead of rightID?? In order to restrict and increase security in connection phase of tow gateway it's better I set DN or SubjectAltName so that only gateway i want, can connect to my gateway.
Thanks a lot for your help. On Sunday, September 25, 2011, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > The subject distinguished name or subject DN of an X.509 certificate > consists of several Relative Distinguished Names (RDNs) and therefore > can be quite tiresome to write as in > > "C=DE, ST=Mecklenburg-Vorpommern, L=Rostock, O=Finanzamt, > OU=Zentrale Informations- und Annahmestelle, CN=steuerportal-mv.de, > E=postste...@fm.mv-regierung.de" > > Therefore often one or several subjectAlternativeNames or Aliases > are added as X.509v3 extensions to a certificate, like e.g. > > DNS:moon.strongswan.org > email:ca...@strongswan.org > IP:11.22.33.44 > > (given in openssl.cnf notation) which saves a lot of typing work and > helps to eliminate errors. > > Regards > > Andreas > > On 09/25/2011 02:58 PM, nima chavooshi wrote: >> >> Hi >> Thanks a lot for your quick reply. >> Excuse me for my dummy question.I am some confused. >> May you give me more explanation about "subject distinguished name", >> "subjectAltName", "subject DN" field on X509 certification? >> According to your told, I should define lefid at least, is that true ? >> >> Thanks in advance for any help or guidance >> >> On Sun, Sep 25, 2011 at 2:16 PM, Andreas Steffen >> <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> >> wrote: >> >> Hello, >> >> left|rightid *must* be either the subject distinguished name or >> a subjectAltName extension contained in the certificate. If you >> don't define leftid or if leftid is not defined in the certificate >> then automatically the subject DN is assumed as a default. >> >> As a responder you can define rightid=%any, in that case any >> peer with a trusted and non-revoked certificate will be accepted. >> >> Regards >> >> Andreas > > -- > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users