[Swan] IKE failure/Issue with Subject Alternative Name
Paul Wouters
paul at nohats.ca
Thu Oct 12 18:39:29 EEST 2023
On Thu, 12 Oct 2023, Mayur Nakade wrote:
>
> certificate contains no subjectAltName extension "mytunnel" #8: certificate
> does not contain subjectAltName=hostB.cert.com
>
> Note: SAN cnf is created and added in host certificates(verified by checking certificate
> content). Theres no other error as till 4th main message IKE was going good(verified from pluto log
> and wireshark). So after that seek help here to understand issue that why IKE is not successful?
> Does above issue is causing it?
Can you show the output of: openssl x509 -in file.cert -noout -text
It does strongly suggest you do not have a subjectAltName extension, and
trusting CN= is no longer considered secure.
Paul
More information about the Swan
mailing list