tech stuff.

racoon only matches against the first IP subjectAltName?

with 3 comments

I haven’t examined the source yet to make sure that I’m right, but imperical evidence leads me to believe that racoon is only recognizing the first IP field in an x509v3 subjectAltName extension.  That is, for the following certificate:

X509v3 Subject Alternative Name:, IP Address:, IP Address:

It appears that only the 192.168.x.x address will be accepted as a valid ID by racoon.  Requests with an ID of will be discarded with the error message: ID mismatched with subjectAltName.  So far I’ve only tested this with anonymous remote nodes.

Written by Lee Verberne

2009-03-09 at 07:05

Posted in Internet, Unix-type stuff

Tagged with

3 Responses

Subscribe to comments with RSS.

  1. Were you able to verify this? Did you find a work around? I’m in the same position.


    2009-05-13 at 15:57

    • I think I remember that to work around this I changed my_identifier to asn1dn in order to forgo the IP check — which is a shame since correlating the IP is useful and I wish the check worked.


      2009-05-13 at 16:37

  2. I ended up using 1 SSL Cert per IP and running multiple instances of racoon, each with their own ‘listen { }’ directive to bind to the IP of the Cert.

    Not ideal, but working.


    2009-05-14 at 14:50

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: