The Problem
I was trying to configure a Strongswan IPSec client on my Android phone to tunnel to StrongsWan/FreesWan on a linux server. It almnost worked but I got an error:
No trusted public RSA key found for XXXX
Where XXX was my X.509 certficate details.
Strange – as my client and server and CA certificates were all self generated and worked with Windows IPSec client talking to the same IPSec server.
The Solution
I searched and found this article
What it was suggesting was that the Android Strongswan client:
that the configured server address/hostname is contained in the certificate as subjectAltName. If that's not the case you have to configure the server identity manually in the VPN profile, either to a subjectAltName that's actually contained in the certificate (if the server finds a config with that identity) or to the full subject DN of the server certificate
What does this mean in reality? (NB Thanks to the person who answered the question)
FIrst, get the Certifcate details via
openssl x509 -noout -in certificate.pem -subject
The result will be something of the form
subject=C = GB, ST = YY, L = XX, O = ABCD Certificates, OU = ABCD CA, CN = ZZZ, emailAddress = info@dumphuc.com
edit this and remove spaces to
C=GB,ST=YY,L=XX,O=ABCD Certificates,OU=ABCDCA,CN=ZZZ,emailAddress=info@dumphuc.com
On the Android phone enter this into the “Server Identity” line of the VPN profile
Configure the other VPN settings in the Android client and, voila, the VPN will work