[strongSwan] Android VPN Client - Constraint check failed: identity required

Mark M mark076h at yahoo.com
Tue Sep 25 09:59:18 CEST 2012


I will look into a Dynamic DNS service and use the hostname as the subjectAltNames. This should work ok.

 From: Tobias Brunner <tobias at strongswan.org>
To: Mark M <mark076h at yahoo.com> 
Cc: users at lists.strongswan.org 
Sent: Monday, September 24, 2012 4:52 AM
Subject: Re: [strongSwan] Android VPN Client - Constraint check failed: identity required
Hi Mark,

> Is this set for the android client only because I have never set the
> subjectAltname field for any of my certificates before, I only have
> this problem with the android client.

No that's also the case for other configs.  But with ipsec.conf the
value for rightid can explicitly be configured, and if not, it defaults
to the DN of the certificate, if rightcert is configured, or to the
value configured with right (i.e. to %any if right is not configured).
rightid=%any is very risky for initiators as it allows any peer with a
valid certificate to act as gateway, therefore, the Android app uses the
configured hostname as expected rightid.  If the other peer uses a
different identity (e.g. the DN of the certificate, which is the default
if leftcert is configured but leftid is not) the app also tries to
verify this identity against all subjectAltNames contained in the

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120925/1567807c/attachment.html>

More information about the Users mailing list