Hello,

I'm trying to configure Mikrotik GRE IPSEC tunnel with a Libreswan server on Linux, using certificate auth.

I understand that it's necessary for the server certificate to have a subjectAltName - and tried doing that, but on the Mikrotik side, I get this in the logs:

My server cert's subjectAltName was an email - as suggested elsewhere on the forum:

viewtopic.php?f=2&t=31563&hilit=subjectAltName

Notice, there is the x509 subjectAltName in the certificates even though Mikrotik does not display them:
> openssl x509 -text < /etc/cert/linux-cert.pem
...
X509v3 Subject Alternative Name:
email:x@x.x
...
This is important, otherwise you get this "failed to get subjectAltName" error.

I also tried adding a subjectAltName ip:<server IP address> (my peer config on Mikrotik side uses IP for server, not DNS name). Got a different error in Mikrotik logs: "can't parse ph2 packet".

So, what does Mikrotik need in server certificates when doing IPSEC with cert auth? Email? IP? Something else?

Is it possible to get better error messages for troubleshooting (again on the Mikrotik side)?

PS: Mikrotik hAP ac2 with 6.43.8 - the server is strongSwan or libreswan on Debian testing (10).

Got it all to work, posted a fairly detailed write-up here...

viewtopic.php?f=2&t=31563&p=711471#p711471

Hope it may be useful to somebody.

There are a lot of fairly casual tutorials on Mikrotik / IPSec out there on the Internet, and they all or almost all use PSK... I wanted something better...