From owner-freebsd-security  Thu Nov 21  0:57:31 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8930C37B401
	for <freebsd-security@freebsd.org>; Thu, 21 Nov 2002 00:57:29 -0800 (PST)
Received: from bns.tns.cz (bns.tns.cz [80.188.15.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 53FC043E88
	for <freebsd-security@freebsd.org>; Thu, 21 Nov 2002 00:57:28 -0800 (PST)
	(envelope-from jp@tns.cz)
Received: from bertik.tns.cz (bertik.tns.cz [192.168.144.14])
	by bns.tns.cz (Postfix) with ESMTP id E780076342
	for <freebsd-security@freebsd.org>; Thu, 21 Nov 2002 09:57:16 +0100 (CET)
Received: by bertik.tns.cz (Postfix, from userid 1000)
	id 7C10A5F66; Thu, 21 Nov 2002 09:57:22 +0100 (CET)
Date: Thu, 21 Nov 2002 09:57:21 +0100
From: Josef Pojsl <jp@tns.cz>
To: Alwyn Goodloe <agoodloe@saul.cis.upenn.edu>
Cc: freebsd-security@freebsd.org
Subject: Re: IKE/RSA problems
Message-ID: <20021121095721.B256@bertik.tns.cz>
Mail-Followup-To: Alwyn Goodloe <agoodloe@saul.cis.upenn.edu>,
	freebsd-security@freebsd.org
References: <Pine.GSO.4.44.0211201651340.24358-100000@saul.cis.upenn.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.GSO.4.44.0211201651340.24358-100000@saul.cis.upenn.edu>; from agoodloe@saul.cis.upenn.edu on Wed, Nov 20, 2002 at 04:52:50PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Nov 20, 2002 at 04:52:50PM -0500, Alwyn Goodloe wrote:
>   On the client side I keep getting the error message:
> 
> >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
> >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched.
> >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname():
> >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName

Alwyn,

the message seems to be very descriptive. Are you sure that the certificate you are
using has got a valid SubjectAltName attribute? There has to be one and its contents
should match the peer's identification data.

On the client, your racoon is configured to perform address identification:
    ...
    peers_identifier address 192.168.3.1
    ...
So, the server is expected to produce a ceritificate whose SubjectAltName has
the value of "IP:192.168.3.1". The same holds for the other way round.

See racoon.conf(5) or e.g. http://www.kame.net/newsletter/20000912/ for more details.

HTH,
Josef

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message