Tobias,
I will look into a Dynamic DNS service and use the hostname as the
subjectAltNames. This should work ok.
________________________________
From: Tobias Brunner <[email protected]>
To: Mark M <[email protected]>
Cc: [email protected]
Sent: Monday, September 24, 2012 4:52 AM
Subject: Re: [strongSwan] Android VPN Client - Constraint check failed:
identity required
Hi Mark,
> Is this set for the android client only because I have never set the
> subjectAltname field for any of my certificates before, I only have
> this problem with the android client.
No that's also the case for other configs. But with ipsec.conf the
value for rightid can explicitly be configured, and if not, it defaults
to the DN of the certificate, if rightcert is configured, or to the
value configured with right (i.e. to %any if right is not configured).
rightid=%any is very risky for initiators as it allows any peer with a
valid certificate to act as gateway, therefore, the Android app uses the
configured hostname as expected rightid. If the other peer uses a
different identity (e.g. the DN of the certificate, which is the default
if leftcert is configured but leftid is not) the app also tries to
verify this identity against all subjectAltNames contained in the
certificate.
Regards,
Tobias
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
