Date: Thu, 21 Nov 2002 09:57:21 +0100 From: Josef Pojsl <jp@tns.cz> To: Alwyn Goodloe <agoodloe@saul.cis.upenn.edu> Cc: freebsd-security@freebsd.org Subject: Re: IKE/RSA problems Message-ID: <20021121095721.B256@bertik.tns.cz> In-Reply-To: <Pine.GSO.4.44.0211201651340.24358-100000@saul.cis.upenn.edu>; from agoodloe@saul.cis.upenn.edu on Wed, Nov 20, 2002 at 04:52:50PM -0500 References: <Pine.GSO.4.44.0211201651340.24358-100000@saul.cis.upenn.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 20, 2002 at 04:52:50PM -0500, Alwyn Goodloe wrote: > On the client side I keep getting the error message: > > >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon > >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched. > >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname(): > >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName Alwyn, the message seems to be very descriptive. Are you sure that the certificate you are using has got a valid SubjectAltName attribute? There has to be one and its contents should match the peer's identification data. On the client, your racoon is configured to perform address identification: ... peers_identifier address 192.168.3.1 ... So, the server is expected to produce a ceritificate whose SubjectAltName has the value of "IP:192.168.3.1". The same holds for the other way round. See racoon.conf(5) or e.g. http://www.kame.net/newsletter/20000912/ for more details. HTH, Josef To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121095721.B256>