Hi, strongSwan does not try to match the received IKE identity with the certificate's Common Name (CN). The IPv4 address must be contained in a subjectAltName certificate extension which can be defined in openssl.cnf as
subjectAltName=IP:192.168.24.17 Regards Andreas On 12/13/2012 03:08 AM, Gia T. Nguyen wrote: > Hello, > > I am getting a constraint check failed error while using the StrongSwan > Android VPN Client with valid certificates that have been working with > StrongSwan on desktops: > > [CFG] constraint check failed: identity > '192.168.24.2' required > > Can you help me with debugging this error? These are self-signed > certificates that have been validated with OpenSSL. > > Thank you, > > I/charon ( 5507): 01[IKE] initiating IKE_SA android[4] to 192.168.24.2 > I/charon ( 5507): 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > I/charon ( 5507): 01[NET] sending packet: from 192.168.24.17[57072] to > 192.168.24.2[500] > I/charon ( 5507): 11[NET] received packet: from 192.168.24.2[500] to > 192.168.24.17[57072] > I/charon ( 5507): 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > I/charon ( 5507): 11[IKE] faking NAT situation to enforce UDP encapsulation > I/charon ( 5507): 11[IKE] received cert request for "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, OU=Metronome, > CN=metronome-software.com, [email protected] > <mailto:[email protected]>" > I/charon ( 5507): 11[IKE] sending cert request for "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, CN=metronome-software.com" > I/charon ( 5507): 11[IKE] sending cert request for "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, OU=Metronome, > CN=metronome-software.com, [email protected] > <mailto:[email protected]>" > I/charon ( 5507): 11[IKE] authentication of 'C=US, ST=VA, L=RESTON, > O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17, > [email protected] <mailto:[email protected]>' > (myself) with RSA signature successful > I/charon ( 5507): 11[IKE] sending end entity cert "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.17, > [email protected] <mailto:[email protected]>" > I/charon ( 5507): 11[IKE] establishing CHILD_SA android > I/keystore( 131): uid: 10049 action: n -> 1 state: 1 -> 1 retry: 4 > I/charon ( 5507): 11[ENC] generating IKE_AUTH request 1 [ IDi CERT > N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] > I/charon ( 5507): 11[NET] sending packet: from 192.168.24.17[60821] to > 192.168.24.2[4500] > I/charon ( 5507): 16[NET] received packet: from 192.168.24.2[4500] to > 192.168.24.17[60821] > I/charon ( 5507): 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH > CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ] > I/charon ( 5507): 16[IKE] received end entity cert "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2, > [email protected] <mailto:[email protected]>" > I/charon ( 5507): 16[CFG] using certificate "C=US, ST=VA, L=RESTON, > O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2, > [email protected] <mailto:[email protected]>" > I/charon ( 5507): 16[CFG] using trusted ca certificate "C=US, ST=VA, > L=RESTON, O=Metronome Software LLC, OU=Metronome, > CN=metronome-software.com, [email protected] > <mailto:[email protected]>" > I/charon ( 5507): 16[CFG] reached self-signed root ca with a path > length of 0 > I/charon ( 5507): 16[IKE] authentication of 'C=US, ST=VA, L=RESTON, > O=Metronome Software LLC, OU=Metronome, CN=192.168.24.2, > [email protected] <mailto:[email protected]>' > with RSA signature successful > I/charon ( 5507): 16[CFG] constraint check failed: identity > '192.168.24.2' required ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
