[Openswan Users] problem connecting: INVALID_CERTIFICATE

aram price me at aramprice.com
Fri Dec 16 15:02:18 CET 2005

On 16 Dec, 2005, at 14:34 , Jacco de Leeuw wrote:

>>     ignoring informational payload, type INVALID_CERTIFICATE
>> conn l2tp-b-cert
>>         authby=rsasig
>>         leftcert=vpnserver.foo.com.pem
> If you are using Mac OS X, you also need leftid=@vpnserver.example.com
> and the certificate should contain  
> subjectAltName=DNS:vpnserver.example.com

I've noticed this on your panther (time to update that to read  
tiger? :-) FAQ.
is there a handy way to modify openssl.cnf so that this will be  
prompted for
interactively, or does one have to add this to the config of each  
machine doing:
	 ./CA.sh -newreq
I ask because I've often just created the requests on the CA machine  
probably shouldn't have subjectAltName set to be something other than  
own DNS value.

do you think that the lack of subjectAltName causing the  

> Perhaps he checked out my webpage:
> http://www.jacco2.dds.nl/networking/freeswan-panther.html#Certs
> (You'll love that import script! :-)

I've been using the info here - very handy, thanks!

>> I would try Windows first, X.509 on OSX is still very much  
>> untested and
>> under strange restrains. I hope it will be better when 10.4.4 comes
>> out in the next week.
> Huh? You got inside information on that? I don't get the impression  
> there
> is much going on over there in Cupertino. The upcoming Openswan 2.4.5
> on the other hand will be much more important because it contains  
> updated
> support for Mac clients.

I was curious about this as well.
I'll be happy when both are out, xp clients are my main concern but  
I'll be
glad to use the VPN myself.


More information about the Users mailing list