From owner-freebsd-questions@FreeBSD.ORG Thu Mar 15 02:01:43 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A10B2106566B for ; Thu, 15 Mar 2012 02:01:43 +0000 (UTC) (envelope-from rocky@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 4F9A38FC0C for ; Thu, 15 Mar 2012 02:01:43 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 188155C28 for ; Thu, 15 Mar 2012 12:15:13 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id A26345C22 for ; Thu, 15 Mar 2012 12:15:13 +1000 (EST) Message-ID: <4F614C46.20206@herveybayaustralia.com.au> Date: Thu, 15 Mar 2012 11:56:22 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Racoon failed to get subjectAltName X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 02:01:43 -0000 I could be wrong in my assumption, but I cannot seem to get this to work for me and this error will not disappear while my problem continues. I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I had it working at one time on my LAN but failed getting through the pf firewall, so I stowed it while I was required to work on something else; unfortunately I lost the working config somehow (I think? This could be just the bug) and I had to start again- no biggie as I pulled the info off the net before so I could do it again. I recreated some new certificates (the old ones I used to test had expired- I only gave them a very short life for security reasons), and recreated what I thought I had before using xca (same as previously). These include the mandatory SAN: I use email:copy to set this. No amount of googling has helped my investigations, everything is still basically the same age as when I first set this up. But racoon insists the SAN is unavailable now. I've also tried turning off verify identity, but in spite it says the certificates don't match because of empty certificate requests; it would seem that it is still looking for the SAN even though it no longer says so. Googling also verifies that racoon _requires_ SAN to be set to work. I've tried other SAN types, but they don't seem to work either. A check on the certificate shows that it _is_ actually there on all the certificates, but racoon must be blind or something :) Can anyone shed some light on this? Has racoon developed a bug on this at some time? FWIW racoon wont even pass phase1 so I'd assume it is not working because of this problem.