[strongSwan] Android VPN Client - Constraint check failed: identity required

Mark M mark076h at yahoo.com
Mon Sep 24 22:28:48 CEST 2012


Tobias,

So if I put rightid="CN=whatever" of the gateway 
certificate it would work instead of having the subjectAltNames,. I just
 realized I had been doing this already for my road warrior clients but 
got confused since I cannot set rightid on the android client. I would 
prefer not to add the subjectAltName to my gateway certificate since it 
does not have a static IP and may change. Is there anything I can do on 
the android client to help with this?

thanks for the help.


________________________________
 From: Tobias Brunner <tobias at strongswan.org>
To: Mark M <mark076h at yahoo.com> 
Cc: users at lists.strongswan.org 
Sent: Monday, September 24, 2012 4:52 AM
Subject: Re: [strongSwan] Android VPN Client - Constraint check failed: identity required
 
Hi Mark,

> Is this set for the android client only because I have never set the
> subjectAltname field for any of my certificates before, I only have
> this problem with the android client.

No that's also the case for other configs.  But with ipsec.conf the
value for rightid can explicitly be configured, and if not, it defaults
to the DN of the certificate, if rightcert is configured, or to the
value configured with right (i.e. to %any if right is not configured).
rightid=%any is very risky for initiators as it allows any peer with a
valid certificate to act as gateway, therefore, the Android app uses the
configured hostname as expected rightid.  If the other peer uses a
different identity (e.g. the DN of the certificate, which is the default
if leftcert is configured but leftid is not) the app also tries to
verify this identity against all subjectAltNames contained in the
certificate.

Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120924/1abf1139/attachment.html>


More information about the Users mailing list