Hello Martin, the problem is that the Android client sends as its ID the IPv4 address 192.168.101.21 which is not contained as a subjectAltName in the client certificate:
> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' As a workaround generate the Android certificate with subjectAltName=IP:192.168.101.21 set in openssl.cnf or alternatively try to convince the Android phone to send its Distinguished Name as an ID. Regards Andreas On 12/18/2010 10:18 PM, Develop wrote: > Hello, > > I have a serious problem using x509 certs with strongswan and my android > (2.1) mobile. > > After some hours of work, PSK works fine but x509 certs don't. Logging > pluto I got the well known error > > "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for '192.168.101.21' > > but the in the configuration (rightid) seems to be correct. Even if I > don't use "rightid=" but "rightcert=publiccert.pem" using the > publiccert.pem copied to the mobile I get this error. > > Here is my configuration: > > config setup > nat_traversal=yes > charonstart=yes > plutostart=yes > plutodebug=all > plutostderrlog=/tmp/pluto.log > > conn L2TP > authby=rsasig > pfs=no > rekey=no > type=tunnel > esp=aes128-sha1 > ike=aes128-sha-modp1024 > leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, > CN=vpnrelay2, [email protected]" > leftrsasigkey=%cert > left=IP-ADDRESS-OF-THE-VPN-SERVER > leftnexthop=%defaultroute > leftprotoport=17/1701 > right=%any > rightprotoport=17/%any > rightsubnetwithin=0.0.0.0/0 > rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, > CN=handymalu, [email protected]" > rightrsasigkey=%cert > auto=add > keylife=60s > > and here the snip of the pluto-log: > > > .... > | 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 > | a5 71 cb 29 58 61 4b 44 ce 22 5f 33 45 82 04 2a > | certificate signature is valid > | authcert list unlocked by 'verify_x509cert' > | reached self-signed root ca > | Public key validated > | keyid: *AwEAAceE8 > | Modulus: > 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d > | PublicExponent: 0x10001 > | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, > OU=ipsec, CN=handymalu, [email protected] cnt 1-- > | hashing 216 bytes of SA > "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' > "L2TP"[1] 84.61.190.246 #1: sending encrypted notification > INVALID_KEY_INFORMATION to 84.61.190.246:500 > > > Also if I use > > rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*" > > I get the error. > > > Any help yould be wonderful. > > Thanks > > Martin ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
