Hi Mark, > Is this set for the android client only because I have never set the > subjectAltname field for any of my certificates before, I only have > this problem with the android client.
No that's also the case for other configs. But with ipsec.conf the value for rightid can explicitly be configured, and if not, it defaults to the DN of the certificate, if rightcert is configured, or to the value configured with right (i.e. to %any if right is not configured). rightid=%any is very risky for initiators as it allows any peer with a valid certificate to act as gateway, therefore, the Android app uses the configured hostname as expected rightid. If the other peer uses a different identity (e.g. the DN of the certificate, which is the default if leftcert is configured but leftid is not) the app also tries to verify this identity against all subjectAltNames contained in the certificate. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
