北京故宫资料
关于strongSwan的leftrightId
id用作peer的身份验证和接入控制。有四种类型:The ID by which a peer is identifying itlf during IKE can by any of the ID
types IPV[46]_ADDR, FQDN, RFC822_ADDR or DER_ASN1_DN. If one of the first three ID types is ud, then the accompanying X.509 certificate of the peer must contain a matching subjectAltName field of the type ipAddress (IP:), dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type我和我的祖国歌词简谱
DER_ASN1_DN the identifier must completely match the subject field of the peer's certificate.
(1)ip地址类型:当peer的ip地址是可知的,则可以不定义rightid
十个优点(2)FQDN类型:rightid=@sun.strongswan
(3)email类型:rightid=********************野风车
(4)DN类型:rightid="C=CH, O=strongSwan IPc, CN=sun.strongswan" C代表country, O代表organization, CN代表comman name
台谏如果id是前三种,则证书中的subjectAltName必须是IP: DNS: 或email:.
如果id是第四种,则证书中的subject field必须填写DN的值。
If not all peers in posssion of a X.509 certificate signed by a specific
呈请是什么意思certificate authority shall be given access to the Linux curity gateway,
then either a subt of them can be barred by listing the rial numbers of
新年的愿望作文their certificates in a certificate revocation list (CRL) as specified in
ction 5.2 or as an alternative, access can be controlled by explicitly
putting a roadwarrior entry for each eligible peer f.
如想对peers做access控制,有两种办法,一是添加CRL,而是用rightid值,明确给出可访
问的peer的id。
包公的故事If any roadwarrior should be able to the two subnets 10.1.0.0/24
and 10.1.3.0/24 behind the curity gateway then the following connection
definitions will make this possible
conn rw1
right=%any
leftsubnet=10.1.0.0/24
在gateway上right=%any表明配置roadwarrior. 通过这个可以跟net-net模式分辨。leftsubnet的作用是访问网段的限制。
