Racoon failed to get subjectAltName
freebsd-questions at herveybayaustralia.com.au
Thu Mar 15 12:38:24 UTC 2012
On 03/15/12 11:56, Da Rock wrote:
> I could be wrong in my assumption, but I cannot seem to get this to
> work for me and this error will not disappear while my problem continues.
> I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I
> had it working at one time on my LAN but failed getting through the pf
> firewall, so I stowed it while I was required to work on something
> else; unfortunately I lost the working config somehow (I think? This
> could be just the bug) and I had to start again- no biggie as I pulled
> the info off the net before so I could do it again.
> I recreated some new certificates (the old ones I used to test had
> expired- I only gave them a very short life for security reasons), and
> recreated what I thought I had before using xca (same as previously).
> These include the mandatory SAN: I use email:copy to set this.
> No amount of googling has helped my investigations, everything is
> still basically the same age as when I first set this up. But racoon
> insists the SAN is unavailable now. I've also tried turning off verify
> identity, but in spite it says the certificates don't match because of
> empty certificate requests; it would seem that it is still looking for
> the SAN even though it no longer says so. Googling also verifies that
> racoon _requires_ SAN to be set to work.
> I've tried other SAN types, but they don't seem to work either. A
> check on the certificate shows that it _is_ actually there on all the
> certificates, but racoon must be blind or something :)
> Can anyone shed some light on this? Has racoon developed a bug on this
> at some time?
> FWIW racoon wont even pass phase1 so I'd assume it is not working
> because of this problem.
Just to update, phase 1 is half working if verify is off: there is a
phase 1 connection between the server and android, but not between
android and the server- hence my confusion and erroneous assumption.
Only the android logs showed this problem.
Phase 2 never comes (of course). Something does feel different getting
this to work this time round, I just can't put my finger on it. And I
cant figure what I've done differently.
I still can't get my certificates right somehow. I'm not sure what I'm
missing here either.
More information about the freebsd-questions