Hi,
> Dec 31 13:53:06.342990: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> verified OK: O=Example,CN=win10client.example.com
> Dec 31 13:53:06.343028: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> subjectAltName extension does not match ID_IPV4_ADDR '172.58.239.44'
> Dec 31 13:53:06.343035: "ikev2-cp"[1] 172.58.239.44 #1: Peer CERT
> payload SubjectAltName does not match peer ID for this connection
> Dec 31 13:53:06.343038: "ikev2-cp"[1] 172.58.239.44 #1: X509:
> connection failed due to unmatched IKE ID in certificate SAN
> Dec 31 13:53:06.347987: "ikev2-cp"[1] 172.58.239.44 #1: reloaded
> private key matching left certificate 'orion.example.com'
> Dec 31 13:53:06.348005: "ikev2-cp"[1] 172.58.239.44 #1: switched from
> "ikev2-cp"[1] 172.58.239.44 to "ikev2-cp"
> Dec 31 13:53:06.348021: "ikev2-cp"[1] 172.58.239.44: deleting
> connection instance with peer 172.58.239.44 {isakmp=#0/ipsec=#0}
I just noticed this where it says the connection failed, but it
appears later to connect properly.
Removing the --extSAN for the win10client doesn't make a difference.
How do I set that properly?
Also, it's worth noting that the Windows cert must be installed in
both the Personal and "Trusted Root Certification Authority" store.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
