Hello Andreas, the Android (2.1) does not offer the possibility to change the identity it sends. Not very useful to use the IP-address as ID for a mobile device. I think I will have a look at the android sources and root the phone.
Regards Martin Am 19.12.2010 12:33, schrieb Andreas Steffen: > Hello Martin, > > Android sends the certificate payload together with the identity > payload in the same IKE packet. > > No, strongSwan requires the peer identity to by verified by a > corresponding entry in the certificate. Certainly the Android > VPN client can be configured to use the Subject Distinguished > Name contained in the certificate as its identity. > > Regards > > Andreas > > On 12/19/2010 11:48 AM, Develop wrote: > >> Hello Andreas, >> >> thanks a lot for your answer. >> >> I wonder a little bit because the correct cert was seen in the log just >> before the error. Is it correct that the Android sends first the >> certificate it has and then the ID with the IPv4 address? Because the >> IPv4 is dynamic (different WLANs) I think I can't use your suggested >> workaround :-( >> >> Is it perhaps possible to accept any peer who presents a valid (not >> revoked) certifiate independent of the presented ID? If so, I could >> control the access to the VPN by revoking the certificate. >> >> Regards >> >> Martin >> >> Am 18.12.2010 23:52, schrieb Andreas Steffen: >> >>> Hello Martin, >>> >>> the problem is that the Android client sends as its ID the IPv4 address >>> 192.168.101.21 which is not contained as a subjectAltName in the client >>> certificate: >>> >>> >>> >>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >>>> >>>> >>> As a workaround generate the Android certificate with >>> >>> subjectAltName=IP:192.168.101.21 >>> >>> set in openssl.cnf or alternatively try to convince the Android phone >>> to send its Distinguished Name as an ID. >>> >>> Regards >>> >>> Andreas >>> >>> On 12/18/2010 10:18 PM, Develop wrote: >>> >>> >>>> Hello, >>>> >>>> I have a serious problem using x509 certs with strongswan and my android >>>> (2.1) mobile. >>>> >>>> After some hours of work, PSK works fine but x509 certs don't. Logging >>>> pluto I got the well known error >>>> >>>> "L2TP"[1] xxx.xxx.xxx.xxx #1: no RSA public key known for >>>> '192.168.101.21' >>>> >>>> but the in the configuration (rightid) seems to be correct. Even if I >>>> don't use "rightid=" but "rightcert=publiccert.pem" using the >>>> publiccert.pem copied to the mobile I get this error. >>>> >>>> Here is my configuration: >>>> >>>> config setup >>>> nat_traversal=yes >>>> charonstart=yes >>>> plutostart=yes >>>> plutodebug=all >>>> plutostderrlog=/tmp/pluto.log >>>> >>>> conn L2TP >>>> authby=rsasig >>>> pfs=no >>>> rekey=no >>>> type=tunnel >>>> esp=aes128-sha1 >>>> ike=aes128-sha-modp1024 >>>> leftid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >>>> CN=vpnrelay2, [email protected]" >>>> leftrsasigkey=%cert >>>> left=IP-ADDRESS-OF-THE-VPN-SERVER >>>> leftnexthop=%defaultroute >>>> leftprotoport=17/1701 >>>> right=%any >>>> rightprotoport=17/%any >>>> rightsubnetwithin=0.0.0.0/0 >>>> rightid="C=DE, ST=NRW, L=Bochum, O=IMA GmbH, OU=ipsec, >>>> CN=handymalu, [email protected]" >>>> rightrsasigkey=%cert >>>> auto=add >>>> keylife=60s >>>> >>>> and here the snip of the pluto-log: >>>> >>>> >>>> .... >>>> | 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 >>>> | a5 71 cb 29 58 61 4b 44 ce 22 5f 33 45 82 04 2a >>>> | certificate signature is valid >>>> | authcert list unlocked by 'verify_x509cert' >>>> | reached self-signed root ca >>>> | Public key validated >>>> | keyid: *AwEAAceE8 >>>> | Modulus: >>>> 0xc784f34b1d8578b1152b92b4e7a55da38511d0dccdbb1445749a4b5638b6168f5bffafafa8510faed534d4d0a97d0c6b85750893343da5b9ac12a2da4395936dea885305bc6bc6500df081e8626443b1f28b21fc100c99b751be7bc5ce2b49f59b12ea0f4ce97e025d91d9bbfe03f535853af9ac27fa1efc4ba06328429b644d >>>> >>>> | PublicExponent: 0x10001 >>>> | unreference key: 0x7f27ca4a1810 C=DE, ST=NRW, L=Bochum, O=IMA GmbH, >>>> OU=ipsec, CN=handymalu, [email protected] cnt 1-- >>>> | hashing 216 bytes of SA >>>> "L2TP"[1] 84.61.190.246 #1: no RSA public key known for '192.168.101.21' >>>> "L2TP"[1] 84.61.190.246 #1: sending encrypted notification >>>> INVALID_KEY_INFORMATION to 84.61.190.246:500 >>>> >>>> >>>> Also if I use >>>> >>>> rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*" >>>> >>>> I get the error. >>>> >>>> >>>> Any help yould be wonderful. >>>> >>>> Thanks >>>> >>>> Martin >>>> > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
