[strongSwan] Public key auth config with android client
Alexander Sbitnev
alexander.sbitnev at gmail.com
Thu Oct 23 12:47:10 CEST 2014
Hi again everyone!
Is there any words on configuration for public key auth with android
client?
My question exactly is there any constraints on certificate on the
gateway side?
Using just an ordinary cert (without special subjects and alternative
subject names) I get next problem in the end of authorization process on
android side:
I/charon ( 2782): 05[IKE] authentication of 'CN=testrsa at gate' with RSA
signature successful
I/charon ( 2782): 05[CFG] constraint check failed: identity
'192.168.100.1' required
I/charon ( 2782): 05[CFG] selected peer config 'android' inacceptable:
constraint checking failed
Judging by the code from android_service.c:
/* remote auth config */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
gateway = identification_create_from_string(this->gateway);
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
gateway IP address (or probably FDQN?) is used to check ID for responder
side. And there is no other way to setup desired gateway's ID value on
android side.
So is it required to put IP address inside gateway side certificate or
is it possible to go around of this constraint somehow?
More information about the Users
mailing list