[Openswan Users] android l2tp crt connection

Hydro Meteor hydrometeor at gmail.com
Wed Aug 3 01:57:29 EDT 2011


Richard,

Please do not request or encourage off list conversation. Others (including
myself) would like to test and then contribute to the shared community
knowledge about using Android VPN clients as Road Warriors and Openswan
gateways. I have a Nexus S running Gingerbread 2.3.4 and have been able to
successfully get it to connect to my Openswan 2.6.28 gateway (using PSK to
start with) with xl2tpd 1.2.8 (though in doing so this has disabled my Mac
OS X machine (running 10.6.7) as a Road Warrior to later connect after a
successful Android session has been established and disestablished (though
that's a separate issue it seems), and I want to move to use of
certificates. I want to make a certs that can be used by *both* OS X and
Android Road Warriors.

Thanks,

-Hydro

On Fri, Jul 29, 2011 at 10:29 AM, Richard Pickett <
richard.pickett at csrtechnologies.com> wrote:

> Hey Paul and Bob,
>
> I know that this conversation has been going on "on the list" (thanks),
> it's a benefit to us all.
>
> I've been following it because I'm planning to do the same exact setup:
> android-w/-cert -> linux-openswan.
>
> If you guys do have any "off list" conversation on this, do you mind
> keeping me in the loop? I'm especially curios to see the final setup that
> "works".
>
> I've seen a number of android ipsec-by-cert vpn "managers" (don't think
> they are actually the clients themselves) in the app store, I'm even running
> a trial now, and they don't mention anything about having to have ips or
> fqdn in the certs.
>
>
>
> On Fri, Jul 29, 2011 at 9:24 AM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Thu, 28 Jul 2011, Bob Miller wrote:
>>
>> >> It should work with certs identifiers fine. However, some clients
>> (notable OSX)
>> >> requires that the openswan server cert has its IP or FQDN in the
>> subjectAltname
>> >> within the certificate.
>> >
>> > The firewall cert does have an FQDN as a subject alternative name.
>> > Here is a link to the article I referenced, the specific section is
>> > under L2TP/IPSec CRT:
>> > http://doandroids.com/Apps/OneVpn/how-to/servers/
>> > I just spent the last 10 minutes looking through the logs to find the
>> > entry that supports this article's claim, but after all the trial and
>> > error I did there is too much flotsam to sort through.  The log entry on
>> > the firewall had something to do with remote IP not matching the
>> > certificate, at least by my interpretation.  I also remember it was
>> > immediately after ISAKMP SA established and the connection never reached
>> > QUICK_R1.
>> > Also, I tested on android 2.3 and 3.0.
>> > If you feel I was overlooking something, I would be very interested to
>> > hear your thoughts.  I am certain I could get an android device back for
>> > a day of testing...
>>
>> I guess I'll have to setup a cert l2tp ipsec server for you to test
>> against.
>> Ping me sometime next week and I'll see if I can set one up.
>>
>> Just ot be sure you arent missing anything else, please go over:
>>
>>
>> https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
>>
>> Paul
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110803/6aa98dfa/attachment.html 


More information about the Users mailing list