Racoon failed to get subjectAltName

Da Rock freebsd-questions at herveybayaustralia.com.au
Thu Mar 15 12:38:24 UTC 2012

On 03/15/12 11:56, Da Rock wrote:
> I could be wrong in my assumption, but I cannot seem to get this to 
> work for me and this error will not disappear while my problem continues.
> I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I 
> had it working at one time on my LAN but failed getting through the pf 
> firewall, so I stowed it while I was required to work on something 
> else; unfortunately I lost the working config somehow (I think? This 
> could be just the bug) and I had to start again- no biggie as I pulled 
> the info off the net before so I could do it again.
> I recreated some new certificates (the old ones I used to test had 
> expired- I only gave them a very short life for security reasons), and 
> recreated what I thought I had before using xca (same as previously). 
> These include the mandatory SAN: I use email:copy to set this.
> No amount of googling has helped my investigations, everything is 
> still basically the same age as when I first set this up. But racoon 
> insists the SAN is unavailable now. I've also tried turning off verify 
> identity, but in spite it says the certificates don't match because of 
> empty certificate requests; it would seem that it is still looking for 
> the SAN even though it no longer says so. Googling also verifies that 
> racoon _requires_ SAN to be set to work.
> I've tried other SAN types, but they don't seem to work either. A 
> check on the certificate shows that it _is_ actually there on all the 
> certificates, but racoon must be blind or something :)
> Can anyone shed some light on this? Has racoon developed a bug on this 
> at some time?
> FWIW racoon wont even pass phase1 so I'd assume it is not working 
> because of this problem.
Just to update, phase 1 is half working if verify is off: there is a 
phase 1 connection between the server and android, but not between 
android and the server- hence my confusion and erroneous assumption. 
Only the android logs showed this problem.

Phase 2 never comes (of course). Something does feel different getting 
this to work this time round, I just can't put my finger on it. And I 
cant figure what I've done differently.

I still can't get my certificates right somehow. I'm not sure what I'm 
missing here either.

More information about the freebsd-questions mailing list