[Swan] Options for Windows clients
Alex
mysqlstudent at gmail.com
Thu Dec 31 19:38:43 UTC 2020
Hi,
> Dec 31 13:53:06.342990: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> verified OK: O=Example,CN=win10client.example.com
> Dec 31 13:53:06.343028: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> subjectAltName extension does not match ID_IPV4_ADDR '172.58.239.44'
> Dec 31 13:53:06.343035: "ikev2-cp"[1] 172.58.239.44 #1: Peer CERT
> payload SubjectAltName does not match peer ID for this connection
> Dec 31 13:53:06.343038: "ikev2-cp"[1] 172.58.239.44 #1: X509:
> connection failed due to unmatched IKE ID in certificate SAN
> Dec 31 13:53:06.347987: "ikev2-cp"[1] 172.58.239.44 #1: reloaded
> private key matching left certificate 'orion.example.com'
> Dec 31 13:53:06.348005: "ikev2-cp"[1] 172.58.239.44 #1: switched from
> "ikev2-cp"[1] 172.58.239.44 to "ikev2-cp"
> Dec 31 13:53:06.348021: "ikev2-cp"[1] 172.58.239.44: deleting
> connection instance with peer 172.58.239.44 {isakmp=#0/ipsec=#0}
I just noticed this where it says the connection failed, but it
appears later to connect properly.
Removing the --extSAN for the win10client doesn't make a difference.
How do I set that properly?
Also, it's worth noting that the Windows cert must be installed in
both the Personal and "Trusted Root Certification Authority" store.
More information about the Swan
mailing list