Is it possible to match an identity via the SAN that contains the certificate?
I would like to avoid having to keep all certificates on the gateway, but still not using the id set by the client.
Each client gets its own mode config in which it is assigned a static IP, so it is important to differentiate between them.
I've already tried various combinations, maybe I just haven't gotten the right syntax yet.
Unfortunately, I cannot distinguish between the remote IP, since all clients are behind NAT. And sometimes in the same NAT.
-
-
jdMobiusIT
just joined
- Posts: 12
- Joined:
Re: IPsec: Matching Identity by SAN
Okay correct me please if I'm wrong.
when I set the SAN in strongswan as "leftid"
and in routeros:
Remote Certificate "none"
Remote ID Type "fqdn"
Remote ID "$SAN"
Match by "remote id"
will it checked against the SAN of the certificate?
Even if I enter the same wrong ID on both sides, routeros reports "identity not found for peer". This somehow leads me to conclude that the certificates SAN is being checked.
when I set the SAN in strongswan as "leftid"
and in routeros:
Remote Certificate "none"
Remote ID Type "fqdn"
Remote ID "$SAN"
Match by "remote id"
will it checked against the SAN of the certificate?
Even if I enter the same wrong ID on both sides, routeros reports "identity not found for peer". This somehow leads me to conclude that the certificates SAN is being checked.