[strongSwan] Constraint checked failed error using Android VPN client

[Gia T. Nguyen]

Hello,

I am getting a constraint check failed error while using the StrongSwan
Android VPN Client with valid certificates that have been working with
StrongSwan on desktops:

[CFG] constraint check failed: identity
'192.168.24.2' required

Can you help me with debugging this error?  These are self-signed
certificates that have been validated with OpenSSL.

Thank you,

I/charon  ( 5507): 01[IKE] initiating IKE_SA android[4] to 192.168.24.2
I/charon  ( 5507): 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
I/charon  ( 5507): 01[NET] sending packet: from 192.168.24.17[57072] to
192.168.24.2[500]
I/charon  ( 5507): 11[NET] received packet: from 192.168.24.2[500] to
192.168.24.17[57072]
I/charon  ( 5507): 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
I/charon  ( 5507): 11[IKE] faking NAT situation to enforce UDP encapsulation
I/charon  ( 5507): 11[IKE] received cert request for "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, OU=Metronome,
CN=metronome-software.com, E=admin at metronome-software.com"
I/charon  ( 5507): 11[IKE] sending cert request for "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, CN=metronome-software.com"
I/charon  ( 5507): 11[IKE] sending cert request for "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, OU=Metronome,
CN=metronome-software.com, E=admin at metronome-software.com"
I/charon  ( 5507): 11[IKE] authentication of 'C=US, ST=VA, L=RESTON,
O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17,
E=admin at metronome-software.com' (myself) with RSA signature successful
I/charon  ( 5507): 11[IKE] sending end entity cert "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17,
E=admin at metronome-software.com"
I/charon  ( 5507): 11[IKE] establishing CHILD_SA android
I/keystore(  131): uid: 10049 action: n -> 1 state: 1 -> 1 retry: 4
I/charon  ( 5507): 11[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
I/charon  ( 5507): 11[NET] sending packet: from 192.168.24.17[60821] to
192.168.24.2[4500]
I/charon  ( 5507): 16[NET] received packet: from 192.168.24.2[4500] to
192.168.24.17[60821]
I/charon  ( 5507): 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
I/charon  ( 5507): 16[IKE] received end entity cert "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
E=admin at metronome-software.com"
I/charon  ( 5507): 16[CFG]   using certificate "C=US, ST=VA, L=RESTON,
O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
E=admin at metronome-software.com"
I/charon  ( 5507): 16[CFG]   using trusted ca certificate "C=US, ST=VA,
L=RESTON, O=Metronome Software LLC, OU=Metronome,
CN=metronome-software.com, E=admin at metronome-software.com"
I/charon  ( 5507): 16[CFG]   reached self-signed root ca with a path
length of 0
I/charon  ( 5507): 16[IKE] authentication of 'C=US, ST=VA, L=RESTON,
O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
E=admin at metronome-software.com' with RSA signature successful
I/charon  ( 5507): 16[CFG] constraint check failed: identity
'192.168.24.2' required




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121212/5bf4f443/attachment.html>