[strongSwan] strongswan android app fails to connect when cert SAN contains DNS

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 7 21:06:56 CEST 2013


Hi,

as far as I know strongSwan does not support wildcards in certificates
which is bad practice anyway. Thus xyz.mycompany.com does not match the
wildcard subjectAltName *.mycompany.com.

Regards

Andreas

On 07.08.2013 20:39, SM K wrote:
> Hi,
>
> I am trying to establish an IPSEC tunnel from the android strongswan app
> to a gateway using a name as in "xyz.mycompany.com
> <http://xyz.mycompany.com>". The authentication is using
> certificates. The gateway certificate has a Subject Alt Name as
> "DNS:*.mycompany.com, DNS:mycompany.com.
>
> This causes the android app to fail connection as the constraint check
> against gateway fails.  This ofcourse works fine when the cert contains
> the full domain name or the ip address.
>
> We have other setups where this kind of thing works. I wanted to check
> if this kind of thing is supported or not.
>
> The logs from the strongswan app say the following.
> cfg : constarint check failed: identity xyz.mycompany.com required
> selected peer config android inacceptable: constaint check failed
>
> regards,
> -smk

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130807/fa19a3fd/attachment.bin>


More information about the Users mailing list