Project

General

Profile

Issue #813

Android client and "constraint check failed: identity 'xxx' required "

Added by Max Kosmach over 6 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.2.2
Resolution:
Fixed

Description

Hi!
I can connect our VPN gw with Linux Strongswan client successfully, but when I try to connect via android client, I see:

Jan 5 18:21:04 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.0.13, armv7l)
.....
Jan 5 18:21:06 05[IKE] authentication of 'C=RU, O=XXXXXXX, OU=Office, CN=vpngw_11_11' with RSA signature successful
Jan 5 18:21:06 05[CFG] constraint check failed: identity 'vpngw_11_11' required
Jan 5 18:21:06 05[CFG] selected peer config 'android' inacceptable: constraint checking failed
Jan 5 18:21:06 05[CFG] no alternative config found
Jan 5 18:21:06 05[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

Certificate of our VPN gw does not have SubjectAlternativeName fields, only hostname in CN.

Would You please add an option to android client to ignore absence of SAN in GW certificate?

PS. vpngw_11_11 added to local hosts file so I connect to vpngw_11_11 host

History

#1 Updated by Tobias Brunner over 6 years ago

  • Status changed from New to Feedback

Certificate of our VPN gw does not have SubjectAlternativeName fields, only hostname in CN.

Which will not work, as documented in several places (e.g. the list of limitations on AndroidVPNClient, or the Google Play product page).

Would You please add an option to android client to ignore absence of SAN in GW certificate?

We use the configured host name as expected remote identity to prevent man-in-the-middle-attacks by users/systems with a valid end-entity certificate issued by a trusted CA. Such a FQDN identity has to be contained as dNSName subjectAltName in the gateway certificate because strongSwan does not match it against just the CN of the subject DN of a certificate.

For your Linux client you probably configured the complete subject DN (C=RU, O=XXXXXXX, OU=Office, CN=vpngw_11_11) as rightid, or the certificate of the gateway as rightcert (in which case the remote identity defaults to the subject DN). This will obviously match the certificate.

In the future it might be an option to add a profile setting to the Android app to configure the expected remote identity, but configuring the full subject DN of a certificate is tedious for regular users (and often the DN is unknown beforehand). Therefore, the remote identity currently defaults to the configured host name. This simplifies configuration and if you issue the certificates yourself it does not really add any obstacles as adding a SAN is trivial.

#2 Updated by Tobias Brunner over 6 years ago

  • Assignee set to Tobias Brunner

#3 Updated by Tobias Brunner almost 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

In the future it might be an option to add a profile setting to the Android app to configure the expected remote identity

The server identity may optionally be configured since version 1.6.0 of the app.

Also available in: Atom PDF