[strongSwan] strongswan android app fails to connect when cert SAN contains DNS
sacho.polo at gmail.com
Thu Aug 8 04:00:52 CEST 2013
Thanks for the reply. I had guessed that this was not supported. Thanks for
On Wed, Aug 7, 2013 at 12:06 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> as far as I know strongSwan does not support wildcards in certificates
> which is bad practice anyway. Thus xyz.mycompany.com does not match the
> wildcard subjectAltName *.mycompany.com.
> On 07.08.2013 20:39, SM K wrote:
>> I am trying to establish an IPSEC tunnel from the android strongswan app
>> to a gateway using a name as in "xyz.mycompany.com
>> <http://xyz.mycompany.com>". The authentication is using
>> certificates. The gateway certificate has a Subject Alt Name as
>> "DNS:*.mycompany.com, DNS:mycompany.com.
>> This causes the android app to fail connection as the constraint check
>> against gateway fails. This ofcourse works fine when the cert contains
>> the full domain name or the ip address.
>> We have other setups where this kind of thing works. I wanted to check
>> if this kind of thing is supported or not.
>> The logs from the strongswan app say the following.
>> cfg : constarint check failed: identity xyz.mycompany.com required
>> selected peer config android inacceptable: constaint check failed
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users