<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Tobias,<br><br>So if I put rightid="CN=whatever" of the gateway
certificate it would work instead of having the subjectAltNames,. I just
realized I had been doing this already for my road warrior clients but
got confused since I cannot set rightid on the android client. I would
prefer not to add the subjectAltName to my gateway certificate since it
does not have a static IP and may change. Is there anything I can do on
the android client to help with this?<br><br>thanks for the help.</div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Tobias Brunner <tobias@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Mark M <mark076h@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> users@lists.strongswan.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, September 24, 2012 4:52 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Android VPN Client - Constraint check failed: identity required<br> </font> </div> <br>
Hi Mark,<br><br>> Is this set for the android client only because I have never set the<br>> subjectAltname field for any of my certificates before, I only have<br>> this problem with the android client.<br><br>No that's also the case for other configs. But with ipsec.conf the<br>value for rightid can explicitly be configured, and if not, it defaults<br>to the DN of the certificate, if rightcert is configured, or to the<br>value configured with right (i.e. to %any if right is not configured).<br>rightid=%any is very risky for initiators as it allows any peer with a<br>valid certificate to act as gateway, therefore, the Android app uses the<br>configured hostname as expected rightid. If the other peer uses a<br>different identity (e.g. the DN of the certificate, which is the default<br>if leftcert is configured but leftid is not) the app also tries to<br>verify this identity against all subjectAltNames contained in
the<br>certificate.<br><br>Regards,<br>Tobias<br><br><br> </div> </div> </div></body></html>