• RSS
  • Facebook
  • Twitter
  • Linkedin
Home > Error Failed > Error Failed To Get Subjectaltname

Error Failed To Get Subjectaltname


Thanks for sharing. Edit openssl.cnf and uncomment "x509_extensions = v3_ca" in the [ req ] section. What I end up with is:00:03:18 ipsec IPsec-SA request for queued due to no phase1 found.00:03:18 ipsec initiate new phase 1 negotiation:[500]<=>[500]00:03:18 ipsec begin Identity Protection mode.00:03:19 ipsec received this contact form

I also created another one for the mikrotik that used mikrotik as the CN and ID of the certificate. Josh Wed, 28 Sep 2011 23:49:58 +0000 at 11:49 pm Howdi, FYI I have managed to get openssl to prompt for DNS alt names but including subjectAltName in the req_attributes section The mikrotik cert I used the one that had mikrotik as the CN and ID. Changing /etc/ssl/openssl.cnf isn't too hard.

Ignore Information Because Isakmp-sa Has Not Been Established Yet

Required fields are marked *Comment Name * Email * Website 5 − = three Search for: Recent Posts Microsoft Azure on Ubuntu 12.10 mkmf LoadError on Solaris 11 Stubbing class constants I also found no working configuration of a rsa-sign authenticated IPSec VPN.On cisco the last log lines are:May 1 22:21:33.431: ISAKMP: set new node -1733463317 to QM_IDLEMay 1 22:21:33.431: ISAKMP: reserved Once I had both certs in PEM format I imported both into the mikrotik. (I tried importing only the cert and not the key for the remote end, but it always Pingback: -- Somewhere out there!

  • Next message: [Cvsnt] rlog problem on cvsweb NT Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the cvsnt mailing list
  • I have always used a different copy of rcstools which always seems to work.
  • Error: Unexpected output from cvs co: cvs [checkout aborted]: EOF in value in RCS file c:\cvs\ExerciseRoot\exercise\100027\src/main.c,v Check whether the directory c:/cvs/ExerciseRoot/CVSROOT exists and the script has write-access to the CVSROOT/history file
  • Dial - First Month Free _______________________________________________ Cvsnt mailing list [email protected]
vvv Home | News | Sitemap | FAQ | advertise | OSDir is an Inevitable website.
  • I have a 3G connection.
  • View 1 Reply View Related Motorola :: Facebook-An error occurred while fetching data.
  • Now it seems to be working fine.
  • CEOLlabTooFeR Leaks System Images for Pixel and Pixel XLWhy You Should Prioritize Your API Strategy Before its DesignAmazon Offers up to a $2.5 Million Prize for a Year-Long Alexa CompetitionJCase: “Verizon
  • Could someone please help me as I am totally clueless about this sort of thing and it is doing my head in lol View 1 Reply View Related Motorola :: Facebook
  • I created one for the SmoothWall that used its public IP as the CommonName and the certificate ID. Leave a Reply Cancel reply Your email address will not be published. I hope it helps.The setup is:Mikrotik[]-----[]Linux[]Encrypted is<-> main issue was that my self-generated certificates had no subjectAltName. Trying to add some subjectAltName.

    X509v3 Subject Alternative Name: email:[email protected] is important, otherwise you get this "failed to get subjectAltName" error.After that, it works nicely:# racoonctl show-sa ipsec192.168.0.24 esp mode=tunnel spi=54623812(0x03417e44) reqid=0(0x00000000) E: aes-cbc fb0dde97 Spdadd Here is my openssl config [ req ] default_bits = 1024 distinguished_name = req_DN prompt = no [ req_DN ] countryName = US stateOrProvinceName = Massachusetts localityName = Charlestown 0.organizationName = I will test again with Cisco to confirm it works Mikrotik <-> Cisco as well.I summarize some crucial points I was stumbling over, for the next one to suffer from the There's no way to use conditionals (I assume).If you just leave it blank, or leave it out altogether, you get these errors: Unable to load config info from /usr/lib/ssl/openssl.cnf and respectively,

    The subjectAltName must be present, but it is not important what is in there. I'd put in "[email protected],," in the email field when ‘openssl req' asked for it. For that I had to upgrade to RouterOS 3.23.On the SmoothWall end I set the encryption to match the mikrotik (SHA1 and aes-256). However, this value can not be set, I tried until RB 4.0b2.


    It took about 1 maybe 2 seconds for the tunnel to establish and packets started to flow. my company quit!crypto isakmp policy 1 encr aes 256 group 5 lifetime 3600crypto isakmp identity dncrypto isakmp aggressive-mode disable!crypto ipsec transform-set transform-set ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map cryptomap 30 ipsec-isakmp set peer Ignore Information Because Isakmp-sa Has Not Been Established Yet I exported both signed certificates as pkcs12 cert and key files. There's a clean enough list of browser compatibility here.

    Chris J. weblink To put the SubjectAltName in, modify the openssl.cnf to contain something like (see the web for details):[yourCA]copy_extensions = copy[req]x509_extensions = v3_ca[user_cert]subjectAltName=email:copyMy racoon.conf file contains (not complete):path certificate "/etc/cert";remote{ exchange_mode main; I thought I was clever putting ‘subjectAltName=email:move' in the v3_req section, which would put the email address you type in the subjectAltName field. I've got alternative subjects on my list of things to do to handle the load-balancing of some LDAP services, and this is good info to have.

    shtml#zero[[email protected]] > ip ipsec installed-sa printFlags: A - AH, E - ESP, P - pfs 0 E spi=0 src-address= dst-address= auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0Config excerpt:[[email protected]] > ip ipsec Nothing else has worked until adding those entries under "req_attributes" section. Thanks very much. navigate here Skip to content Search… Search Quick links Unanswered topics Active topics Search The team Active topics Active topics Forum Community discussions Search… Search Quick links Unanswered

    I thought about writing a script that would copy openssl.cnf, ask me for the value of SubjectAltName, run sed against it, then start openssl. I configured the SmoothWall cert to be the one I created with the public IP of the SmoothWall as the ID and CN. Maddes Fri, 28 Aug 2015 12:32:36 +0000 at 12:32 pm @Josh, Chris: "subjectAltName" belongs to the v3_req extension as mentioned in the article, therefore… a) v3_req has to be enabled, either

    The SmoothWall is my certificate authority that signed both certs.

    From this, I developed these changes to a standard config provided by debian/ubuntu. But generated with openSSL and subjectAltName=email:copy set in openssl.cnf)Cisco config excerpt:crypto pki trustpoint vpn-tp usage ike revocation-check none rsakeypair vpn-tp!crypto pki certificate chain vpn-tp certificate 0B 308204AA 30820392 A0030201 0202010B 300D0609 The cert for the mikrotik must be decrypted. I converted both certs to pem format with 'openssl pkcs12 -in smoothwall.p12 -out smoothwall.pem'.

    At the top of openssl.cnf under where it set's HOME="…" I added SAN="email:[email protected]" And in [ v3_req ] I added: subjectAltName=${ENV::SAN} So if you run openssl like this: SAN="," \ With all the config stuff done I tried a ping from behind the mikrotik to an IP behind the SmoothWall. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc. his comment is here Visually it worked, but the browsers didn't like it.

    Al C Thu, 07 Aug 2014 06:05:48 +0000 at 6:05 am @ Josh Genius, that worked on it's own.