[strongSwan] Android (normal client) + L2TP/IPSEC and certificates

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 11 18:44:17 CET 2010


Hello,

it seems that the peer sends its IPv4 address as an identity,
which will not be accepted if it is not contained in the
peer certificate.

Regards

Andreas

On 11/11/2010 06:17 PM, Michael Holstein wrote:
> ipsec.conf
>
> (rw)
>   authby=rsasig
>      pfs=no
>      keyingtries=1
>      rekey=no
>      ikelifetime=8h
>      keylife=1h
>      left=my.ip.address
>      leftprotoport=17/1701
>      right=%any
>      rightid=@FQDN_BASE_OF_CERTS
>
> Certificates of the TinyCA generated CA, CRL, server key, server crt,
> client key and client crt are all in the appropriate places.
>
> With plutodebug=parsing enables, I get the following upon connection
>
> /var/log/auth.log
> (bunch of stuff..)
>
> L2 - issuer:
> C=stuff, CN=FQDN_OF_CERTS, E=ROOT at FQDN_BASE_OF_CERTS'
>
> and ..
>
> C=stuff CN=MY_ID at FQDN_OF_SERVER, E=SubjectAltName
>
> So I *know* the client is sending it .. and the parser is finding it ..
> but for whatever reason, this appears next :
>
> Public key validated
> "rw"[1] IP_OF_CLIENT #2: no RSA public key known for 'IP_OF_CLIENT'
> "rw"[1] IP_OF_CLIENT #2: sending encrypted notification
> INVALID_KEY_INFORMATION to IP_OF_CLIENT:500
>
> Question is .. why is StrongSwan identifying the peer by ID_IPV4 when
> the certificate is being sent and parsed?
>
> Thanks,
>
> Michael Holstein
> Cleveland State University


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list