[strongSwan] Faulty SubjectAltName

Johannes Tysiak mail at tysiak.net
Fri Jun 25 00:43:33 CEST 2010

Hello everyone,

I am trying to connect to a Checkpoint VPN-1 using strongswan.
Unfortunately the VPN-1's certificate is faulty, i.e. the IP address in
the SubjectAltName differs from the IP address of the VPN-1. This causes
the following log:

ipsec up xxx

002 "xxx" #1: initiating Main Mode
104 "xxx" #1: STATE_MAIN_I1: initiate
003 "xxx" #1: received Vendor ID payload
002 "xxx" #1: enabling possible NAT-traversal with method RFC 3947
106 "xxx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "xxx" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "xxx" #1: we have a cert and are sending it upon request
108 "xxx" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "xxx" #1: Peer ID is ID_IPV4_ADDR: 'w.x.y.z'
003 "xxx" #1: no public key known for 'w.x.y.z'
002 "xxx" #1: sending encrypted notification INVALID_KEY_INFORMATION to

I have no possibility to correct the wrong config on the VPN-1 side, so
I have to deal with the faulty certificate. Is there any way to achieve
this using strongswan (e.g. forcing a specific certificate to be used
while ignoring the faulty SubjectAltName?

Thanks very much for your help.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5035 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100625/024746e3/attachment.bin>

More information about the Users mailing list