Date: Thu, 15 Mar 2012 22:33:03 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: Racoon failed to get subjectAltName Message-ID: <4F61E17F.9090101@herveybayaustralia.com.au> In-Reply-To: <4F614C46.20206@herveybayaustralia.com.au> References: <4F614C46.20206@herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/15/12 11:56, Da Rock wrote: > I could be wrong in my assumption, but I cannot seem to get this to > work for me and this error will not disappear while my problem continues. > > I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I > had it working at one time on my LAN but failed getting through the pf > firewall, so I stowed it while I was required to work on something > else; unfortunately I lost the working config somehow (I think? This > could be just the bug) and I had to start again- no biggie as I pulled > the info off the net before so I could do it again. > > I recreated some new certificates (the old ones I used to test had > expired- I only gave them a very short life for security reasons), and > recreated what I thought I had before using xca (same as previously). > These include the mandatory SAN: I use email:copy to set this. > > No amount of googling has helped my investigations, everything is > still basically the same age as when I first set this up. But racoon > insists the SAN is unavailable now. I've also tried turning off verify > identity, but in spite it says the certificates don't match because of > empty certificate requests; it would seem that it is still looking for > the SAN even though it no longer says so. Googling also verifies that > racoon _requires_ SAN to be set to work. > > I've tried other SAN types, but they don't seem to work either. A > check on the certificate shows that it _is_ actually there on all the > certificates, but racoon must be blind or something :) > > Can anyone shed some light on this? Has racoon developed a bug on this > at some time? > > FWIW racoon wont even pass phase1 so I'd assume it is not working > because of this problem. Just to update, phase 1 is half working if verify is off: there is a phase 1 connection between the server and android, but not between android and the server- hence my confusion and erroneous assumption. Only the android logs showed this problem. Phase 2 never comes (of course). Something does feel different getting this to work this time round, I just can't put my finger on it. And I cant figure what I've done differently. I still can't get my certificates right somehow. I'm not sure what I'm missing here either.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F61E17F.9090101>