Hello Andreas, thanks a lot for your answer.
I wonder a little bit because the correct cert was seen in the log just before the error. Is it correct that the Android sends first the certificate it has and then the ID with the IPv4 address? Because the IPv4 is dynamic (different WLANs) I think I can't use your suggested workaround :-( Is it perhaps possible to accept any peer who presents a valid (not revoked) certifiate independent of the presented ID? If so, I could control the access to the VPN by revoking the certificate. Regards Martin Am 18.12.2010 23:52, schrieb Andreas Steffen: > Hello Martin, > > the problem is that the Android client sends as its ID the IPv4 address > 192.168.101.21 which is not contained as a subjectAltName in the client > certificate: > > >> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >> > As a workaround generate the Android certificate with > > subjectAltName=IP:192.168.101.21 > > set in openssl.cnf or alternatively try to convince the Android phone > to send its Distinguished Name as an ID. > > Regards > > Andreas > > On 12/18/2010 10:18 PM, Develop wrote: > >> Hello, >> >> I have a serious problem using x509 certs with strongswan and my android >> (2.1) mobile. >> >> After some hours of work, PSK works fine but x509 certs don't. Logging >> pluto I got the well known error >> >> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for '192.168.101.21' >> >> but the in the configuration (rightid) seems to be correct. Even if I >> don't use "rightid=" but "rightcert=publiccert.pem" using the >> publiccert.pem copied to the mobile I get this error. >> >> Here is my configuration: >> >> config setup >> nat_traversal=yes >> charonstart=yes >> plutostart=yes >> plutodebug=all >> plutostderrlog=/tmp/pluto.log >> >> conn L2TP >> authby=rsasig >> pfs=no >> rekey=no >> type=tunnel >> esp=aes128-sha1 >> ike=aes128-sha-modp1024 >> leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >> CN=vpnrelay2, [email protected]" >> leftrsasigkey=%cert >> left=IP-ADDRESS-OF-THE-VPN-SERVER >> leftnexthop=%defaultroute >> leftprotoport=17/1701 >> right=%any >> rightprotoport=17/%any >> rightsubnetwithin=0.0.0.0/0 >> rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >> CN=handymalu, [email protected]" >> rightrsasigkey=%cert >> auto=add >> keylife=60s >> >> and here the snip of the pluto-log: >> >> >> .... >> | 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 >> | a5 71 cb 29 58 61 4b 44 ce 22 5f 33 45 82 04 2a >> | certificate signature is valid >> | authcert list unlocked by 'verify_x509cert' >> | reached self-signed root ca >> | Public key validated >> | keyid: *AwEAAceE8 >> | Modulus: >> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d >> | PublicExponent: 0x10001 >> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, >> OU=ipsec, CN=handymalu, [email protected] cnt 1-- >> | hashing 216 bytes of SA >> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification >> INVALID_KEY_INFORMATION to 84.61.190.246:500 >> >> >> Also if I use >> >> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*" >> >> I get the error. >> >> >> Any help yould be wonderful. >> >> Thanks >> >> Martin >> > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
