https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162014-04-12T05:02:35ZpfSense bugtrackerpfSense - Bug #3470: IPSec VPN not recognizing alternative IP namehttps://redmine.pfsense.org/issues/3470?journal_id=137682014-04-12T05:02:35ZDoktor Notor
<ul></ul><p>Duplicate of Bug <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Certificate Authority SAN names not working in 2.1 (Resolved)" href="https://redmine.pfsense.org/issues/3347">#3347</a>, SubjectAltNames are completely broken.</p> pfSense - Bug #3470: IPSec VPN not recognizing alternative IP namehttps://redmine.pfsense.org/issues/3470?journal_id=137692014-04-12T13:08:47ZB. Derman
<ul></ul><p><a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Certificate Authority SAN names not working in 2.1 (Resolved)" href="https://redmine.pfsense.org/issues/3347">#3347</a> claims that SANs don't work at all but, in my configuration, they do work for OpenVPN where the SAN is of type IP address. That seems to indicate that either SANs are partially working (i.e., when of type IP) or that OpenVPN is accepting a certificate it shouldn't. If it's the latter, that's an important issue.</p> pfSense - Bug #3470: IPSec VPN not recognizing alternative IP namehttps://redmine.pfsense.org/issues/3470?journal_id=137702014-04-12T18:05:13ZDoktor Notor
<ul></ul><p>If you take the certificate and look at it via OpenSSL, you can clearly see the extensions are completely missing. If you assign the certificate to a webGUI and browse via a SAN (even an IP), you will get a mismatch warning from browser in 100% of cases. So yes, these are <strong>completely</strong> broken.</p> pfSense - Bug #3470: IPSec VPN not recognizing alternative IP namehttps://redmine.pfsense.org/issues/3470?journal_id=137712014-04-12T20:08:15ZB. Derman
<ul></ul><p>Since OpenVPN accepts a certificate that was created with a common name that doesn't match the IP address to which OpenVPN is connecting, nor does it match the FQDN that's the common name of the certificate (but does match the IP SAN set for the certificate ... which apparently doesn't exist in the certificate), I've filed bug 3602 (<a class="external" href="https://redmine.pfsense.org/issues/3602">https://redmine.pfsense.org/issues/3602</a>).</p> pfSense - Bug #3470: IPSec VPN not recognizing alternative IP namehttps://redmine.pfsense.org/issues/3470?journal_id=206872015-09-15T20:59:17ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li></ul><p>this was all fixed some time ago.</p>