I'm trying to configure Mikrotik GRE IPSEC tunnel with a Libreswan server on Linux, using certificate auth.
I understand that it's necessary for the server certificate to have a subjectAltName - and tried doing that, but on the Mikrotik side, I get this in the logs:
Code: Select all
failed to get subjectAltName
My server cert's subjectAltName was an email - as suggested elsewhere on the forum:
viewtopic.php?f=2&t=31563&hilit=subjectAltName
Notice, there is the x509 subjectAltName in the certificates even though Mikrotik does not display them:
> openssl x509 -text < /etc/cert/linux-cert.pem
...
X509v3 Subject Alternative Name:
email:x@x.x
...
This is important, otherwise you get this "failed to get subjectAltName" error.
I also tried adding a subjectAltName ip:<server IP address> (my peer config on Mikrotik side uses IP for server, not DNS name). Got a different error in Mikrotik logs: "can't parse ph2 packet".
So, what does Mikrotik need in server certificates when doing IPSEC with cert auth? Email? IP? Something else?
Is it possible to get better error messages for troubleshooting (again on the Mikrotik side)?
PS: Mikrotik hAP ac2 with 6.43.8 - the server is strongSwan or libreswan on Debian testing (10).