[Openswan Users] android l2tp crt connection

Bob Miller bob at computerisms.ca
Thu Jul 28 14:42:50 EDT 2011

Hi Paul,
Thanks for the comment.

On Thu, 2011-07-28 at 14:05 -0400, Paul Wouters wrote:
> On Thu, 28 Jul 2011, Bob Miller wrote:
> > For the benefit of anyone else looking to accomplish this, here is what
> > I found:
> > As per an article I found, and my logs support it, a certificate will
> > only work if you put the IP address of the remote device into the remote
> > device's certificate.  Since the devices are mobile, this would require
> > a new cert be generated every time the device gets an address, or would
> > require the mobile device to somehow have a static IP.  Since that isn't
> > practical, the path of least resistance in my case is to add a conn for
> > using PSKs.
> It should work with certs identifiers fine. However, some clients (notable OSX)
> requires that the openswan server cert has its IP or FQDN in the subjectAltname
> within the certificate.

The firewall cert does have an FQDN as a subject alternative name.
Here is a link to the article I referenced, the specific section is
under L2TP/IPSec CRT:
I just spent the last 10 minutes looking through the logs to find the
entry that supports this article's claim, but after all the trial and
error I did there is too much flotsam to sort through.  The log entry on
the firewall had something to do with remote IP not matching the
certificate, at least by my interpretation.  I also remember it was
immediately after ISAKMP SA established and the connection never reached
Also, I tested on android 2.3 and 3.0. 
If you feel I was overlooking something, I would be very interested to
hear your thoughts.  I am certain I could get an android device back for
a day of testing...

> Paul

Bob Miller
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the Users mailing list