Racoon failed to get subjectAltName

Da Rock freebsd-questions at herveybayaustralia.com.au
Thu Mar 15 02:01:43 UTC 2012

I could be wrong in my assumption, but I cannot seem to get this to work 
for me and this error will not disappear while my problem continues.

I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I 
had it working at one time on my LAN but failed getting through the pf 
firewall, so I stowed it while I was required to work on something else; 
unfortunately I lost the working config somehow (I think? This could be 
just the bug) and I had to start again- no biggie as I pulled the info 
off the net before so I could do it again.

I recreated some new certificates (the old ones I used to test had 
expired- I only gave them a very short life for security reasons), and 
recreated what I thought I had before using xca (same as previously). 
These include the mandatory SAN: I use email:copy to set this.

No amount of googling has helped my investigations, everything is still 
basically the same age as when I first set this up. But racoon insists 
the SAN is unavailable now. I've also tried turning off verify identity, 
but in spite it says the certificates don't match because of empty 
certificate requests; it would seem that it is still looking for the SAN 
even though it no longer says so. Googling also verifies that racoon 
_requires_ SAN to be set to work.

I've tried other SAN types, but they don't seem to work either. A check 
on the certificate shows that it _is_ actually there on all the 
certificates, but racoon must be blind or something :)

Can anyone shed some light on this? Has racoon developed a bug on this 
at some time?

FWIW racoon wont even pass phase1 so I'd assume it is not working 
because of this problem.

More information about the freebsd-questions mailing list