tech stuff.

Posts Tagged ‘ipsec

racoon only matches against the first IP subjectAltName?

with 3 comments

I haven’t examined the source yet to make sure that I’m right, but imperical evidence leads me to believe that racoon is only recognizing the first IP field in an x509v3 subjectAltName extension.  That is, for the following certificate:

X509v3 Subject Alternative Name:
DNS:arthur.example.org, IP Address:192.168.35.24, IP Address:10.14.82.152

It appears that only the 192.168.x.x address will be accepted as a valid ID by racoon.  Requests with an ID of 10.14.82.152 will be discarded with the error message: ID mismatched with subjectAltName.  So far I’ve only tested this with anonymous remote nodes.

Written by Lee Verberne

2009/03/09 at 07:05

Posted in Internet, Unix-type stuff

Tagged with

racoon requires subjectAltName for x509 IKE

leave a comment »

Having trouble getting your ipsec working with x509 certs?  It would appear that racoon requires the subjectAltName extension to be set.  It won’t use the CN.  You have to set a subjectAltName field even if it contains nothing besides a copy of the CN.

Heed this warning, or you’ll fall victim to the following:

racoon: 2008-12-02 14:47:21: ERROR:
racoon: 2008-12-02 14:47:21: ERROR: failed to get subjectAltName
racoon: 2008-12-02 14:47:21: ERROR: no peer's CERT payload found.

Of course… the misery that is tricking openssl to create a cert with the subjectAltName in it is outside the scope of this simple blog entry. Maybe a lengthy one at a later date…

http://www.mail-archive.com/openssl-users@openssl.org/msg47641.html

Written by Lee Verberne

2008/12/02 at 21:12

Posted in Internet, Unix-type stuff

Tagged with