[strongSwan] Android VPN Client - Constraint check failed: identity required

Tobias Brunner tobias at strongswan.org
Mon Sep 24 10:52:12 CEST 2012

Hi Mark,

> Is this set for the android client only because I have never set the
> subjectAltname field for any of my certificates before, I only have
> this problem with the android client.

No that's also the case for other configs.  But with ipsec.conf the
value for rightid can explicitly be configured, and if not, it defaults
to the DN of the certificate, if rightcert is configured, or to the
value configured with right (i.e. to %any if right is not configured).
rightid=%any is very risky for initiators as it allows any peer with a
valid certificate to act as gateway, therefore, the Android app uses the
configured hostname as expected rightid.  If the other peer uses a
different identity (e.g. the DN of the certificate, which is the default
if leftcert is configured but leftid is not) the app also tries to
verify this identity against all subjectAltNames contained in the


More information about the Users mailing list