tech stuff.

racoon requires subjectAltName for x509 IKE

leave a comment »

Having trouble getting your ipsec working with x509 certs?  It would appear that racoon requires the subjectAltName extension to be set.  It won’t use the CN.  You have to set a subjectAltName field even if it contains nothing besides a copy of the CN.

Heed this warning, or you’ll fall victim to the following:

racoon: 2008-12-02 14:47:21: ERROR:
racoon: 2008-12-02 14:47:21: ERROR: failed to get subjectAltName
racoon: 2008-12-02 14:47:21: ERROR: no peer's CERT payload found.

Of course… the misery that is tricking openssl to create a cert with the subjectAltName in it is outside the scope of this simple blog entry. Maybe a lengthy one at a later date…

Written by Lee Verberne

2008-12-02 at 21:12

Posted in Internet, Unix-type stuff

Tagged with

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: