On 13.02.2020 08:43, Robert Paschedag wrote:
sent from my mobile device Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru <niyal...@gmail.com>:hi everyone i have setup iked on my firewall and laptop as a roadwarrior setup following https://www.openbsd.org/faq/faq17.html i.ve tested from within the local network but no flows are started. could someone have a look at the following files to see where i have erred.Looks like your client cert (pegasus) is missing a subjectAltName. Robert# my iked config method http://paste.openstack.org/show/789464/ imhoptep iked logs (responder) http://paste.openstack.org/show/789465/ pegasus iked logs (initiator) http://paste.openstack.org/show/789466/ thanks shadrock
As https://www.openbsd.org/faq/faq17.html does not mention anythingabout subjectAltName i've researched across the net and found the following information :-
IKEv2 VPN server certificate must contain either the server's IP address or its FQDN as the subjectAltName,Roadwarriors usually have dynamic IP addresses assigned by the ISP they are currently attached to. In order to simplify the routing from my-net (tissisat.co.uk) back to the roadwarrior (pegasus) it would be desirable if the roadwarrior had an inner IP address chosen from a pre-assigned pool.
if this is the way to deal with subjectAltName what are the steps to achieve this ? shadrock
smime.p7s
Description: S/MIME cryptographic signature