Identity Parsing in strongSwan

The type and binary encoding of identity strings specified in left|rightid in ipsec.conf or in connections.<conn>.local<suffix>.id in swanctl.conf (and other places where identities are parsed from strings, e.g. in selectors in ipsec.secrets) are parsed as follows:

  • If the string value contains an equal sign (=), it is assumed to be a Distinguished Name (DN), with RDNs separated by
    commas (,) or slashes (/ - the string must start with a slash to use this syntax). See the table below for supported RDNs.
    An attempt is made to create a binary ASN.1 encoding from this string. If that fails the type is set to KEY_ID with the literal
    string value adopted as encoding.
  • If the string value contains an @, the type depends on the position of that character:
    • If the string begins with @#, the type is set to KEY_ID and the string following that prefix is assumed to be the
      hex-encoded binary value of the identity (note that # is used for comments in config files, so quotes are necessary).
    • If the string begins with @@, the type is set to USER_FQDN and the encoding is the literal string after that prefix.
    • If the string begins with @, the type is set to FQDN and the encoding is the literal string after that prefix.
      In versions before 5.0.0 this prefix prevents that a FQDN is resolved into an IP address (current versions don't
      automatically resolve FQDNs when parsing identities).
    • All remaining strings containing an @ are assumed to be of type USER_FQDN/RFC822 with the literal string value
      as encoding.
  • If the value does not contain any @ or = characters, it is parsed as follows:
    • If the value is an empty string, or equals %any, %any6,, ::, or *, the type is set to ID_ANY, which matches
      any other identity.
    • If the value contains a colon (:), it is assumed to be an IPv6 address. But if parsing the address and converting it
      to its binary encoding fails, the type is set to KEY_ID and the encoding is the literal value. Since 5.4.0, subnets in
      CIDR notation and address ranges (two addresses separated by a - without spaces) are parsed too (they can't be
      used as IKE identities but e.g. to define shared secrets in ipsec.secrets or swanctl.conf).
    • For all other strings, an attempt at parsing them as IPv4 addresses is made (since 5.4.0 also as subnets and ranges,
      see above).
      If that fails, the type is set to FQDN and the literal value is adopted as encoding (this is where domain names and
      simple names end up).
  • If the value has the form <type>:<value> (supported since 5.2.2), the type and value are explicitly specified:
    • The following types are known: ipv4, ipv6, ipv4net, ipv6net, ipv4range, ipv6range, rfc822, email, userfqdn, fqdn,
      dns, asn1dn, asn1gn
      and keyid. Custom type prefixes may be specified by surrounding the numerical type value
      with curly brackets.
    • If the value starts with #, the remaining data is interpreted as hex encoding, otherwise, the string is used as is as
      the identification data (note that # is used for comments in config files, so quotes are necessary).

      Important: This implies that no conversion is performed for non-string identities. For example, ipv4: does
      not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary 0x0a000001. Instead, one could
      use ipv4:#0a000001 to get a valid identity, but just using the automatic conversion as described above is usually
      simpler. The same applies to the ASN.1 encoded types (for subject DNs the pki --dn command may be useful).

The latter is primarily useful if the auto-detection is inadequate or produces the wrong result. For instance, strongSwan does not
nest RDNs when generating the binary encoding of an ASN.1 DN, which some PKIs do. Another example is the need to encode
FQDNs as KEY_IDs, which is a bit inconvenient with the @# syntax as the binary encoding has to be provided.

Supported RDN Types

These types/identifiers are supported when parsing DNs from strings. Any other types are supported for other applications.

Identifier OID Description Example
Defined by X.520 and also described in RFC 4519
CN Common Name or John Smith
SN Surname Smith
serialNumber Serial Number ZX52376
C Country (ISO 3166 two-letter code) CH
L Locality Rapperswil
ST State or Province St. Gallen
street Street Address Oberseestrasse 10
O Organization strongSwan Project
OU Organizational Unit Research
T Title Software Engineer
D Description Main VPN gateway
postalAddress Postal Address Oberseestrasse 10
8640 Rapperswil
postalCode Postal Code 8640
N Name (should not be used directly)
G Given Name John
I Initials J. T.
ID Unique Identifier
dnQualifier DN Qualifier (e.g. a timestamp or serial number) 20190214115113Z or 51314E
dmdName DMD Name
pseudonym Pseudonym
Originally defined by RFC 1274 now described in RFC 4519
UID 0.9.2342.19200300.100.1.1 User ID jsmith
DC 0.9.2342.19200300.100.1.25 Domain Component (label of a DNS domain name) strongswan or org but not
Defined by RFC 2798
2.16.840.1.113730.3.1.3 Employee Number 42
Defined in PKCS#9 and described in RFC 2985
1.2.840.113549.1.9.1 Email Address (deprecated according to RFC 5280, use SAN instead)
1.2.840.113549.1.9.2 Unstructured Name
1.2.840.113549.1.9.8 Unstructured Address
Defined by "Zertifikatsformate im Zertifizierungsbereich PKS II"
ND Name Distinguisher (Number incremented for equal CNs)
Unknown origin (was added with FreeS/WAN 0.9.9)
TCGID Siemens Trust Center Global ID