Den 4 jan 2012 17:44 skrev "Mick" <michaelkintz...@gmail.com>: > > On Wednesday 04 Jan 2012 13:40:12 you wrote: > > On Wed, Jan 4, 2012 at 1:57 PM, Mick <michaelkintz...@gmail.com> wrote: > > > On Wednesday 04 Jan 2012 12:33:06 you wrote: > > >> Hi, > > >> > > >> I have some firewalls that puts an subjectAltName X509v3 attribute > > >> into the CSR, but when I sign them with my openssl CA, it just throws > > >> that attribute away. VPN clients later requires the subjectAltName to > > >> match the host it connects to, hence it must be present. > > > > > > Theoretically at least the VPN client would search the Subject: string > > > for a Distinguished Name. > > > If it can't find it there it will look at the subjAltName which as you > > > say is not always available in a certificate. > > > > Yeah, in theory, but in practise the Android/VPN/Racoon client in this > > case requires subjAltName to work... > > Hmm ... interesting. Do you know what the client or router expects to find in > there? I mean, what type of subjAltName string will it work happily with? > > IP:XXX.XXX.X.XX, DNS:example.com, email:acco...@example.com > > or even /C=US/L=some_state/O=my_company/CN=VPN_user > > I have been having similar problems here with a router which will not return a > DN (or subjAltName) from its certificate to any VPN clients trying to connect > to it. > -- > Regards, > Mick
The Android 2.3 native vpn client uses subjAltName to verify authenticity of the vpn server/gw. I've gotten it to work using DNS:vpngw.example.com, could possibly also work with IP:a.b.c.d . This must correspond to what is specified for "VPN server hostname" in the client. The VPN server (Juniper/ScreenOS in my case) in turn uses CN (and possibly other attrs) of certificate for user authentication, and the vpn tunnel is tied to a particular CA certificate. Other configs prob possible too. Greg