[strongSwan] Public key auth config with android client

Alexander Sbitnev alexander.sbitnev at gmail.com
Thu Oct 23 12:47:10 CEST 2014

   Hi again everyone!
   Is there any words on configuration for public key auth with android 
My question exactly is there any constraints on certificate on the 
gateway side?
Using just an ordinary cert (without special subjects and alternative 
subject names) I get next problem in the end of authorization process on 
android side:
I/charon  ( 2782): 05[IKE] authentication of 'CN=testrsa at gate' with RSA 
signature successful
I/charon  ( 2782): 05[CFG] constraint check failed: identity 
'' required
I/charon  ( 2782): 05[CFG] selected peer config 'android' inacceptable: 
constraint checking failed

Judging by the code from android_service.c:

     /* remote auth config */
     auth = auth_cfg_create();
     gateway = identification_create_from_string(this->gateway);
     auth->add(auth, AUTH_RULE_IDENTITY, gateway);
     auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
     peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);

gateway IP address (or probably FDQN?) is used to check ID for responder 
side. And there is no other way to setup desired gateway's ID value on 
android side.
So is it required to put IP address inside gateway side certificate or 
is it possible to go around of this constraint somehow?

More information about the Users mailing list