From owner-freebsd-questions@FreeBSD.ORG Thu Mar 15 12:38:24 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BC02E1065670 for ; Thu, 15 Mar 2012 12:38:24 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 684818FC23 for ; Thu, 15 Mar 2012 12:38:24 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 5F0F05C2D for ; Thu, 15 Mar 2012 22:51:55 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id CE0E45C2B for ; Thu, 15 Mar 2012 22:51:54 +1000 (EST) Message-ID: <4F61E17F.9090101@herveybayaustralia.com.au> Date: Thu, 15 Mar 2012 22:33:03 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4F614C46.20206@herveybayaustralia.com.au> In-Reply-To: <4F614C46.20206@herveybayaustralia.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Racoon failed to get subjectAltName X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 12:38:24 -0000 On 03/15/12 11:56, Da Rock wrote: > I could be wrong in my assumption, but I cannot seem to get this to > work for me and this error will not disappear while my problem continues. > > I'm trying to get a RoadWarrior setup for an Android L2TP/IPSec vpn. I > had it working at one time on my LAN but failed getting through the pf > firewall, so I stowed it while I was required to work on something > else; unfortunately I lost the working config somehow (I think? This > could be just the bug) and I had to start again- no biggie as I pulled > the info off the net before so I could do it again. > > I recreated some new certificates (the old ones I used to test had > expired- I only gave them a very short life for security reasons), and > recreated what I thought I had before using xca (same as previously). > These include the mandatory SAN: I use email:copy to set this. > > No amount of googling has helped my investigations, everything is > still basically the same age as when I first set this up. But racoon > insists the SAN is unavailable now. I've also tried turning off verify > identity, but in spite it says the certificates don't match because of > empty certificate requests; it would seem that it is still looking for > the SAN even though it no longer says so. Googling also verifies that > racoon _requires_ SAN to be set to work. > > I've tried other SAN types, but they don't seem to work either. A > check on the certificate shows that it _is_ actually there on all the > certificates, but racoon must be blind or something :) > > Can anyone shed some light on this? Has racoon developed a bug on this > at some time? > > FWIW racoon wont even pass phase1 so I'd assume it is not working > because of this problem. Just to update, phase 1 is half working if verify is off: there is a phase 1 connection between the server and android, but not between android and the server- hence my confusion and erroneous assumption. Only the android logs showed this problem. Phase 2 never comes (of course). Something does feel different getting this to work this time round, I just can't put my finger on it. And I cant figure what I've done differently. I still can't get my certificates right somehow. I'm not sure what I'm missing here either.