Currently, the hostnames for IPsec certificates are saved as "Common Names" (CN). Some programs (such as iked on OpenBSD) require SubjectAltNames to be set, and it seems like this is best practise now: http://wiki.cacert.org/FAQ/subjectAltName So we can just set SubjectAltNames with a copy of the CN...
This is also recommended by Strongswan. From https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA : "If you want to add subjectAltName extensions to your certificates use the --san option (can be provided multiple times), for instance, --san vpn.strongswan.org or --san peer@strongswan.org. It is recommended to include the hostname of a gateway as subjectAltName in its certificate."
Yes, since the implementation is so old, this wasn't a thing. Peter, would you send a patch for this? I think you know what there is to do here.
Just bumped into this again. I will try to develop a fix for it... :-) Sorry for high response latency.
@All: Should a SubjectAlternativeName be mandatory for newly generated certificates?
https://patchwork.ipfire.org/patch/2682/
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=993724b4dd9837af033880d7816511818f030d59 https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8e9f096e702d4bb7cd7ca74e40686e6a23d77abc However, certificate generation from CSRs does not honour subjectAltName extentions, so there is *another* bug to solve until OpenIKED is finally working correctly...
https://blog.ipfire.org/post/ipfire-2-25-core-update-141-is-available-for-testing
https://blog.ipfire.org/post/ipfire-2-25-core-update-141-release