racoon requires subjectAltName for x509 IKE
Having trouble getting your ipsec working with x509 certs? It would appear that racoon requires the subjectAltName extension to be set. It won’t use the CN. You have to set a subjectAltName field even if it contains nothing besides a copy of the CN.
Heed this warning, or you’ll fall victim to the following:
racoon: 2008-12-02 14:47:21: ERROR:
racoon: 2008-12-02 14:47:21: ERROR: failed to get subjectAltName
racoon: 2008-12-02 14:47:21: ERROR: no peer's CERT payload found.
Of course… the misery that is tricking openssl to create a cert with the subjectAltName in it is outside the scope of this simple blog entry. Maybe a lengthy one at a later date…