Hi again everyone!
Is there any words on configuration for public key auth with android
client?
My question exactly is there any constraints on certificate on the
gateway side?
Using just an ordinary cert (without special subjects and alternative
subject names) I get next problem in the end of authorization process on
android side:
I/charon ( 2782): 05[IKE] authentication of 'CN=testrsa@gate' with RSA
signature successful
I/charon ( 2782): 05[CFG] constraint check failed: identity
'192.168.100.1' required
I/charon ( 2782): 05[CFG] selected peer config 'android' inacceptable:
constraint checking failed
Judging by the code from android_service.c:
/* remote auth config */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
gateway = identification_create_from_string(this->gateway);
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
gateway IP address (or probably FDQN?) is used to check ID for responder
side. And there is no other way to setup desired gateway's ID value on
android side.
So is it required to put IP address inside gateway side certificate or
is it possible to go around of this constraint somehow?
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
