StrongSwan and Android configs
by Emre Tugriceri on Apr.27, 2013, under Linux, Security, StrongSwan
root@six #cat ipsec.conf
conn tugriceri.com
leftsubnet=0.0.0.0/0
left=209.208.63.204
leftcert=/cert/strongswan.pem
leftauth=pubkey
leftsendcert=yes
leftid=six.tugriceri.com
right=%any
rightid=%any
rightsourceip=10.0.5.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
root@six #cat ipsec.secrets
# strongSwan IPsec secrets file
: RSA /cert/strongswan.key
six.tugriceri.com : RSA /cert/strongswan.key
testuser : EAP "secretpass"
root@six #cat openssl-req.cfg
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[ v3_req ]
# Extensions to add to a certificate request
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = "DNS:six.tugriceri.com,DNS:www.tugriceri.com,IP:209.208.63.204,DNS:tugriceri.com"
#subjectAltName = @alt_names
[alt_names]
DNS.1 = six.tugriceri.com
DNS.2 = www.tugriceri.com
[ req_distinguished_name ]
CN = six.tugriceri.com
GN = six.tugriceri.com
OU = Tugriceri.com
O = Tugriceri.com
L = Istanbul
ST = Istanbul
C = TR
emailAddress = root@tugriceri.com
subjectAltName = six.tugriceri.com
subjectAltName is importend point of configuration. Your certificate must be have this.
root@six #cat certyarat.sh
rm -f strongswan.req
rm -f strongswan.pem
openssl req -new -out strongswan.req -key strongswan.key -config openssl-req.cfg
openssl ca -batch -notext -in strongswan.req -out strongswan.pem -config ca.conf
root@six #cat showcert
openssl x509 -in strongswan.pem -text -noout
Command Output :
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:six.tugriceri.com, DNS:www.tugriceri.com, IP Address:209.208.63.204, DNS:tugriceri.com
root@six #cat ca.conf
[ ca ]
default_ca = tugricerica
[ tugricerica ]
copy_extensions = copy
#Removed lines
copy_extension must be in your ca.conf