Hey Paul and Bob,<div><br></div><div>I know that this conversation has been going on "on the list" (thanks), it's a benefit to us all.</div><div><br></div><div>I've been following it because I'm planning to do the same exact setup: android-w/-cert -> linux-openswan.</div>
<div><br></div><div>If you guys do have any "off list" conversation on this, do you mind keeping me in the loop? I'm especially curios to see the final setup that "works".</div><div><br></div><div>
I've seen a number of android ipsec-by-cert vpn "managers" (don't think they are actually the clients themselves) in the app store, I'm even running a trial now, and they don't mention anything about having to have ips or fqdn in the certs.<br clear="all">
<br><br><div class="gmail_quote">On Fri, Jul 29, 2011 at 9:24 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Thu, 28 Jul 2011, Bob Miller wrote:<br>
<br>
</div><div class="im">>> It should work with certs identifiers fine. However, some clients (notable OSX)<br>
>> requires that the openswan server cert has its IP or FQDN in the subjectAltname<br>
>> within the certificate.<br>
><br>
> The firewall cert does have an FQDN as a subject alternative name.<br>
> Here is a link to the article I referenced, the specific section is<br>
> under L2TP/IPSec CRT:<br>
> <a href="http://doandroids.com/Apps/OneVpn/how-to/servers/" target="_blank">http://doandroids.com/Apps/OneVpn/how-to/servers/</a><br>
> I just spent the last 10 minutes looking through the logs to find the<br>
> entry that supports this article's claim, but after all the trial and<br>
> error I did there is too much flotsam to sort through. The log entry on<br>
> the firewall had something to do with remote IP not matching the<br>
> certificate, at least by my interpretation. I also remember it was<br>
> immediately after ISAKMP SA established and the connection never reached<br>
> QUICK_R1.<br>
> Also, I tested on android 2.3 and 3.0.<br>
> If you feel I was overlooking something, I would be very interested to<br>
> hear your thoughts. I am certain I could get an android device back for<br>
> a day of testing...<br>
<br>
</div>I guess I'll have to setup a cert l2tp ipsec server for you to test against.<br>
Ping me sometime next week and I'll see if I can set one up.<br>
<br>
Just ot be sure you arent missing anything else, please go over:<br>
<br>
<a href="https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd" target="_blank">https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd</a><br>
<font color="#888888"><br>
Paul<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div>