Hello! I've tried to setup an IPSEC client connection. However, I see that it doesn't work because the X509 certificate I've been given by my CA has no subjAltName extension. And I'm not sure whether I'll be able to get them to add one for me.
So, is there any reason why one can't bring ipsecctl/isakmpd to find the certificate to use by the certificate DN or e.g. its emailAdress part? And btw... Why can you specify a USER_FQDN as srcid type in ipsec.conf(5), but not add something like that as subjAltName attribute to an X509 certificate (I see that only IP or FQDN are available as extensions in the default /etc/ssl/x509v3.cnf and I see no mention of something that looks like USER_FQDN in the openssl(1) manpage either). Kind regards, Hannah.
