Richard,<br><br>Please do not request or encourage off list conversation. Others (including myself) would like to test and then contribute to the shared community knowledge about using Android VPN clients as Road Warriors and Openswan gateways. I have a Nexus S running Gingerbread 2.3.4 and have been able to successfully get it to connect to my Openswan 2.6.28 gateway (using PSK to start with) with xl2tpd 1.2.8 (though in doing so this has disabled my Mac OS X machine (running 10.6.7) as a Road Warrior to later connect after a successful Android session has been established and disestablished (though that's a separate issue it seems), and I want to move to use of certificates. I want to make a certs that can be used by *both* OS X and Android Road Warriors. <br>
<br>Thanks,<br><br>-Hydro<br><br><div class="gmail_quote">On Fri, Jul 29, 2011 at 10:29 AM, Richard Pickett <span dir="ltr"><<a href="mailto:richard.pickett@csrtechnologies.com">richard.pickett@csrtechnologies.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hey Paul and Bob,<div><br></div><div>I know that this conversation has been going on "on the list" (thanks), it's a benefit to us all.</div>
<div><br></div><div>I've been following it because I'm planning to do the same exact setup: android-w/-cert -> linux-openswan.</div>
<div><br></div><div>If you guys do have any "off list" conversation on this, do you mind keeping me in the loop? I'm especially curios to see the final setup that "works".</div><div><br></div><div>
I've seen a number of android ipsec-by-cert vpn "managers" (don't think they are actually the clients themselves) in the app store, I'm even running a trial now, and they don't mention anything about having to have ips or fqdn in the certs.<div>
<div></div><div class="h5"><br clear="all">
<br><br><div class="gmail_quote">On Fri, Jul 29, 2011 at 9:24 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On Thu, 28 Jul 2011, Bob Miller wrote:<br>
<br>
</div><div>>> It should work with certs identifiers fine. However, some clients (notable OSX)<br>
>> requires that the openswan server cert has its IP or FQDN in the subjectAltname<br>
>> within the certificate.<br>
><br>
> The firewall cert does have an FQDN as a subject alternative name.<br>
> Here is a link to the article I referenced, the specific section is<br>
> under L2TP/IPSec CRT:<br>
> <a href="http://doandroids.com/Apps/OneVpn/how-to/servers/" target="_blank">http://doandroids.com/Apps/OneVpn/how-to/servers/</a><br>
> I just spent the last 10 minutes looking through the logs to find the<br>
> entry that supports this article's claim, but after all the trial and<br>
> error I did there is too much flotsam to sort through. The log entry on<br>
> the firewall had something to do with remote IP not matching the<br>
> certificate, at least by my interpretation. I also remember it was<br>
> immediately after ISAKMP SA established and the connection never reached<br>
> QUICK_R1.<br>
> Also, I tested on android 2.3 and 3.0.<br>
> If you feel I was overlooking something, I would be very interested to<br>
> hear your thoughts. I am certain I could get an android device back for<br>
> a day of testing...<br>
<br>
</div>I guess I'll have to setup a cert l2tp ipsec server for you to test against.<br>
Ping me sometime next week and I'll see if I can set one up.<br>
<br>
Just ot be sure you arent missing anything else, please go over:<br>
<br>
<a href="https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd" target="_blank">https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd</a><br>
<font color="#888888"><br>
Paul<br>
</font><div><div></div><div>_______________________________________________<br>
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>