after fiddling around with ipsec-tools for some days, reading howtos and the
manpages i'm a bit clueless, i can't get it to work as i would like it.
i want to connect my laptop as the client to my openbsd isakmpd server, i have
a CA created and certificates for server and client. i have attached the
debug log output.
i'm wondering about the options i have in the config file. i get my tunnel up
and running if i use the verify_cert off statement. but i want to check the
certificate. if i change the off to on, i get the no proper subjectAltName as
you can see. i have put the cert of the CA also in /etc/cert as configured in
the config file. and i did the ln -sf ...
what i tried:
i tried to provide a cert with peers_certificate, and in debug output i can
see, racoon is reading that file, but i get an other error message, i think
that idea was wrong? so i tried to provide the server certificate with this
statement, but i get the same error without that statement: no proper
as i read, the certificate from the peers_certificate is "overriding" the cert
gotten from the server?
and another thing i'm wondering about:
i tried verify_identifier off, but with no difference.
after that i tried to change the identifiers from address to asn1dn,
changing verify_cert off, and it worked. as i'm a bit astonished is: why does
it work with no difference with verify_cert off, verify_identities on and i
tried address and asn1dn as the identifiers, both worked. does
verify_identities has any effect if verify_cert is off?
just a question for clarification for me:
what all does the verify_cert on; statement check?
what are the identities it is checking with verify_identities?
am i right it's the configured ip in the v3 cert payload checking?
i have a working openbsd client, so the server sould be ok i think.
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
isakmp 10.1.0.2 ;
strict_address; # required all addresses must be bound.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
remote 10.1.0.1 
my_identifier address 10.1.0.2;
certificate_type x509 "client.cert" "client.key";
proposal_check obey; # obey, strict or claim
peers_identifier address 10.1.0.1;
so i don't really know what my problem is, so please if someone can give me a
clue would be really great.