<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Hi Tobias,</span></div><div><span><br></span></div><div>If I used 4.6.1, is there any special configuration I need to enable to build the starter and stroke when I build the Android? </div><div>I assume I wouldn't need to apply any of the three frontend patches any more? </div><div><br></div><div>thanks!</div><div>Zhen</div><div><br></div><div><span><span class="Apple-style-span" style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; ">"With 4.6.1 you now have also the option to build starter and stroke</span><br style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; "><span class="Apple-style-span" style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; ">which allows you to use an ipsec.conf based
configuration, instead of</span><br style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; "><span class="Apple-style-span" style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; ">using the frontend patch."</span><br style="color: rgb(69, 69, 69); font-family: Arial, Helvetica, sans-serif; font-size: 12px; "></span></div><div><br></div> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Tobias Brunner <tobias@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> zhen chen <zchen2711@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span
style="font-weight: bold;">Sent:</span></b> Tuesday, November 15, 2011 9:52 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Android/Stongswan Integration<br> </font> <br>
Hello Zhen,<br><br>> I have been trying to bring Strongswan 4.5.3 to Android<br><br>If possible, you should update to 4.6.1 as there are several Android<br>related improvements included in that release.<br><br>> 1. When I ran charon in adb shell, it started, but said: "android plugin<br>> failed to load, can't open android control socket".<br><br>That's because the control socket is only available, if charon gets<br>started by the patched Android VPN GUI. With 4.6.1 it's possible to use<br>the plugin even if charon is not started by the GUI.<br><br>> I did some search, the android plugin is something related to DNS.<br><br>That's correct it installs DNS servers received from the gateway where<br>Android expects them to be (there is no resolv.conf on Android).<br><br>> Question: do i have to to enable this plugin for VPN to work on the<br>> emulator?<br><br>Only if you need DNS servers installed, or logging via logcat.
These<br>are currently the only two functions provided by the plugin, which are<br>usable without GUI patch.<br><br>> If so, i did some ./configure --enable-android, it failed<br>> because it couldn't find a requied lib. <br><br>Running ./configure won't work. To enable/disable plugins you have to<br>edit the plugin list in the top <a target="_blank" href="http://Android.mk">Android.mk</a> within the strongSwan source<br>tree. But the plugin is enabled anyway, by default, it just can't be<br>loaded without the control socket provided by the frontend in 4.5.3.<br><br>> 2. In the frontend integration site, it says it needs CA assigned certs,<br>> quoted below.<br>> Question: Does the certificate have to be issued by CA? Would<br>> self-assigned certificate work? I am just playing with it and wouldn't<br>> want to spend $1500 to buy one from verisign. :( <br><br>Don't worry :) You can absolutely build your own CA
(e.g. with the<br>ipsec pki tool [1]). Just make sure you install the CA certificate in<br>the Android certificate store as described on the page you quoted. Then<br>use this CA to issue a certificate for the gateway you want to test against.<br><br>With 4.6.1 you now have also the option to build starter and stroke<br>which allows you to use an ipsec.conf based configuration, instead of<br>using the frontend patch.<br><br>Regards,<br>Tobias<br><br>[1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA<br><br><br> </div> </div> </div></body></html>