I am using a wildcard certificate.
I have managed to setup ikev2 protocol, applied my own certificate but it won't work for subdomains.
Is there any workaround for this or the wildcard should be of a certain format ?
Asked
Active
Viewed 1,771 times
2 Answers
2
Perhaps in 2017, Strongswan did not support wildcard certificates, but they definitely work today in 2021. For anyone else running into this question, the solution is to change the configuration of "leftid" in the /etc/ipsec.conf configuration file. The relevant fields are:
conn ikev2-vpn
left=%any
leftid=@*.example.com
leftcert=star_example_com.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
Note that the "leftid" configuration setting must use the wildcard name, as it appears in the wildcard certificate.
deltamind106
- 158
- 1
- 7
0
Generally, strongSwan doesn't support wildcard certificates (see e.g. #794). For instance, if the server certificate contains *.example.com as subjectAltName extension strongSwan won't match vpn.example.com against that.
If you have multiple subdomains add a subjectAltName extension for each to the server certificate.
ecdsa
- 3,800
- 12
- 26
-
1works with iOS..in the config i use @*.domain.com – Vitalik Jimbei May 19 '17 at 11:04
-
What config are you referring to? – ecdsa May 19 '17 at 13:16
-
config for straongswan in /etc/ipsec.conf – Vitalik Jimbei May 22 '17 at 06:42