|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Josef Pojsl (jp_at_tns.cz)
Date: Thu Nov 21 2002 - 02:57:21 CST
On Wed, Nov 20, 2002 at 04:52:50PM -0500, Alwyn Goodloe wrote:
> On the client side I keep getting the error message:
>
> >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
> >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched.
> >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname():
> >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName
Alwyn,
the message seems to be very descriptive. Are you sure that the certificate you are
using has got a valid SubjectAltName attribute? There has to be one and its contents
should match the peer's identification data.
On the client, your racoon is configured to perform address identification:
...
peers_identifier address 192.168.3.1
...
So, the server is expected to produce a ceritificate whose SubjectAltName has
the value of "IP:192.168.3.1". The same holds for the other way round.
See racoon.conf(5) or e.g. http://www.kame.net/newsletter/20000912/ for more details.
HTH,
Josef
To Unsubscribe: send mail to majordomo
FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]