[Openswan Users] android l2tp crt connection

Richard Pickett richard.pickett at csrtechnologies.com
Fri Jul 29 11:29:45 EDT 2011


Hey Paul and Bob,

I know that this conversation has been going on "on the list" (thanks), it's
a benefit to us all.

I've been following it because I'm planning to do the same exact setup:
android-w/-cert -> linux-openswan.

If you guys do have any "off list" conversation on this, do you mind keeping
me in the loop? I'm especially curios to see the final setup that "works".

I've seen a number of android ipsec-by-cert vpn "managers" (don't think they
are actually the clients themselves) in the app store, I'm even running a
trial now, and they don't mention anything about having to have ips or fqdn
in the certs.


On Fri, Jul 29, 2011 at 9:24 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 28 Jul 2011, Bob Miller wrote:
>
> >> It should work with certs identifiers fine. However, some clients
> (notable OSX)
> >> requires that the openswan server cert has its IP or FQDN in the
> subjectAltname
> >> within the certificate.
> >
> > The firewall cert does have an FQDN as a subject alternative name.
> > Here is a link to the article I referenced, the specific section is
> > under L2TP/IPSec CRT:
> > http://doandroids.com/Apps/OneVpn/how-to/servers/
> > I just spent the last 10 minutes looking through the logs to find the
> > entry that supports this article's claim, but after all the trial and
> > error I did there is too much flotsam to sort through.  The log entry on
> > the firewall had something to do with remote IP not matching the
> > certificate, at least by my interpretation.  I also remember it was
> > immediately after ISAKMP SA established and the connection never reached
> > QUICK_R1.
> > Also, I tested on android 2.3 and 3.0.
> > If you feel I was overlooking something, I would be very interested to
> > hear your thoughts.  I am certain I could get an android device back for
> > a day of testing...
>
> I guess I'll have to setup a cert l2tp ipsec server for you to test
> against.
> Ping me sometime next week and I'll see if I can set one up.
>
> Just ot be sure you arent missing anything else, please go over:
>
>
> https://gsoc.xelerance.com/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110729/6ca1b6ef/attachment.html 


More information about the Users mailing list