[strongSwan] strongswan android app fails to connect when cert SAN contains DNS
andreas.steffen at strongswan.org
Wed Aug 7 21:06:56 CEST 2013
as far as I know strongSwan does not support wildcards in certificates
which is bad practice anyway. Thus xyz.mycompany.com does not match the
wildcard subjectAltName *.mycompany.com.
On 07.08.2013 20:39, SM K wrote:
> I am trying to establish an IPSEC tunnel from the android strongswan app
> to a gateway using a name as in "xyz.mycompany.com
> <http://xyz.mycompany.com>". The authentication is using
> certificates. The gateway certificate has a Subject Alt Name as
> "DNS:*.mycompany.com, DNS:mycompany.com.
> This causes the android app to fail connection as the constraint check
> against gateway fails. This ofcourse works fine when the cert contains
> the full domain name or the ip address.
> We have other setups where this kind of thing works. I wanted to check
> if this kind of thing is supported or not.
> The logs from the strongswan app say the following.
> cfg : constarint check failed: identity xyz.mycompany.com required
> selected peer config android inacceptable: constaint check failed
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users