[strongSwan] Constraint checked failed error using Android VPN client

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 13 06:21:32 CET 2012 

Hi,

strongSwan does not try to match the received IKE identity with the
certificate's Common Name (CN). The IPv4 address must be contained
in a subjectAltName certificate extension which can be defined in
openssl.cnf as

  subjectAltName=IP:192.168.24.17

Regards

Andreas

On 12/13/2012 03:08 AM, Gia T. Nguyen wrote:
> Hello,
> 
> I am getting a constraint check failed error while using the StrongSwan
> Android VPN Client with valid certificates that have been working with
> StrongSwan on desktops:
> 
> [CFG] constraint check failed: identity
> '192.168.24.2' required
> 
> Can you help me with debugging this error?  These are self-signed
> certificates that have been validated with OpenSSL.
> 
> Thank you,
> 
> I/charon  ( 5507): 01[IKE] initiating IKE_SA android[4] to 192.168.24.2
> I/charon  ( 5507): 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> I/charon  ( 5507): 01[NET] sending packet: from 192.168.24.17[57072] to
> 192.168.24.2[500]
> I/charon  ( 5507): 11[NET] received packet: from 192.168.24.2[500] to
> 192.168.24.17[57072]
> I/charon  ( 5507): 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> I/charon  ( 5507): 11[IKE] faking NAT situation to enforce UDP encapsulation
> I/charon  ( 5507): 11[IKE] received cert request for "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, OU=Metronome,
> CN=metronome-software.com, E=admin at metronome-software.com
> <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 11[IKE] sending cert request for "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, CN=metronome-software.com"
> I/charon  ( 5507): 11[IKE] sending cert request for "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, OU=Metronome,
> CN=metronome-software.com, E=admin at metronome-software.com
> <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 11[IKE] authentication of 'C=US, ST=VA, L=RESTON,
> O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17,
> E=admin at metronome-software.com <mailto:E=admin at metronome-software.com>'
> (myself) with RSA signature successful
> I/charon  ( 5507): 11[IKE] sending end entity cert "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17,
> E=admin at metronome-software.com <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 11[IKE] establishing CHILD_SA android
> I/keystore(  131): uid: 10049 action: n -> 1 state: 1 -> 1 retry: 4
> I/charon  ( 5507): 11[ENC] generating IKE_AUTH request 1 [ IDi CERT
> N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> I/charon  ( 5507): 11[NET] sending packet: from 192.168.24.17[60821] to
> 192.168.24.2[4500]
> I/charon  ( 5507): 16[NET] received packet: from 192.168.24.2[4500] to
> 192.168.24.17[60821]
> I/charon  ( 5507): 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
> CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
> I/charon  ( 5507): 16[IKE] received end entity cert "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
> E=admin at metronome-software.com <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 16[CFG]   using certificate "C=US, ST=VA, L=RESTON,
> O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
> E=admin at metronome-software.com <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 16[CFG]   using trusted ca certificate "C=US, ST=VA,
> L=RESTON, O=Metronome Software LLC, OU=Metronome,
> CN=metronome-software.com, E=admin at metronome-software.com
> <mailto:E=admin at metronome-software.com>"
> I/charon  ( 5507): 16[CFG]   reached self-signed root ca with a path
> length of 0
> I/charon  ( 5507): 16[IKE] authentication of 'C=US, ST=VA, L=RESTON,
> O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2,
> E=admin at metronome-software.com <mailto:E=admin at metronome-software.com>'
> with RSA signature successful
> I/charon  ( 5507): 16[CFG] constraint check failed: identity
> '192.168.24.2' required

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121213/bdb97daa/attachment.bin>

More information about the Users mailing list