Hello Martin, Android sends the certificate payload together with the identity payload in the same IKE packet.
No, strongSwan requires the peer identity to by verified by a corresponding entry in the certificate. Certainly the Android VPN client can be configured to use the Subject Distinguished Name contained in the certificate as its identity. Regards Andreas On 12/19/2010 11:48 AM, Develop wrote: > Hello Andreas, > > thanks a lot for your answer. > > I wonder a little bit because the correct cert was seen in the log just > before the error. Is it correct that the Android sends first the > certificate it has and then the ID with the IPv4 address? Because the > IPv4 is dynamic (different WLANs) I think I can't use your suggested > workaround :-( > > Is it perhaps possible to accept any peer who presents a valid (not > revoked) certifiate independent of the presented ID? If so, I could > control the access to the VPN by revoking the certificate. > > Regards > > Martin > > Am 18.12.2010 23:52, schrieb Andreas Steffen: >> Hello Martin, >> >> the problem is that the Android client sends as its ID the IPv4 address >> 192.168.101.21 which is not contained as a subjectAltName in the client >> certificate: >> >> >>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >>> >> As a workaround generate the Android certificate with >> >> subjectAltName=IP:192.168.101.21 >> >> set in openssl.cnf or alternatively try to convince the Android phone >> to send its Distinguished Name as an ID. >> >> Regards >> >> Andreas >> >> On 12/18/2010 10:18 PM, Develop wrote: >> >>> Hello, >>> >>> I have a serious problem using x509 certs with strongswan and my android >>> (2.1) mobile. >>> >>> After some hours of work, PSK works fine but x509 certs don't. Logging >>> pluto I got the well known error >>> >>> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for >>> '192.168.101.21' >>> >>> but the in the configuration (rightid) seems to be correct. Even if I >>> don't use "rightid=" but "rightcert=publiccert.pem" using the >>> publiccert.pem copied to the mobile I get this error. >>> >>> Here is my configuration: >>> >>> config setup >>> nat_traversal=yes >>> charonstart=yes >>> plutostart=yes >>> plutodebug=all >>> plutostderrlog=/tmp/pluto.log >>> >>> conn L2TP >>> authby=rsasig >>> pfs=no >>> rekey=no >>> type=tunnel >>> esp=aes128-sha1 >>> ike=aes128-sha-modp1024 >>> leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >>> CN=vpnrelay2, [email protected]" >>> leftrsasigkey=%cert >>> left=IP-ADDRESS-OF-THE-VPN-SERVER >>> leftnexthop=%defaultroute >>> leftprotoport=17/1701 >>> right=%any >>> rightprotoport=17/%any >>> rightsubnetwithin=0.0.0.0/0 >>> rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >>> CN=handymalu, [email protected]" >>> rightrsasigkey=%cert >>> auto=add >>> keylife=60s >>> >>> and here the snip of the pluto-log: >>> >>> >>> .... >>> | 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 >>> | a5 71 cb 29 58 61 4b 44 ce 22 5f 33 45 82 04 2a >>> | certificate signature is valid >>> | authcert list unlocked by 'verify_x509cert' >>> | reached self-signed root ca >>> | Public key validated >>> | keyid: *AwEAAceE8 >>> | Modulus: >>> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d >>> >>> | PublicExponent: 0x10001 >>> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, >>> OU=ipsec, CN=handymalu, [email protected] cnt 1-- >>> | hashing 216 bytes of SA >>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >>> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification >>> INVALID_KEY_INFORMATION to 84.61.190.246:500 >>> >>> >>> Also if I use >>> >>> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*" >>> >>> I get the error. >>> >>> >>> Any help yould be wonderful. >>> >>> Thanks >>> >>> Martin ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
