<div dir="ltr">Tobias,<div><br></div><div>The only way I can get it to work is by split-tunneling, which isn't an option for me. My only guess is the challenge provider can't update the IP of the client fast enough. The challenge always comes through as soon as the tunnel gets torn down. </div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jan 14, 2019 at 1:39 PM Chris Sherry <<a href="mailto:smilinjoe@gmail.com">smilinjoe@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Tobias,<div><br></div><div>So I have tried excluding Microsoft Authenticator from the VPN (with the advanced settings), but I get the same result. On a whim I tried allowing only Chrome to use the VPN. That allowed me to connect, but from Chrome I couldn't get to any internal websites. Plus that really wouldn't be a feasible solution as people are going to want to use many different (and unknown to me) apps on the VPN. Is there another Android subsystem that needs access as well besides the authenticator? The other piece that complicates this is the MFA challenge comes from Azure, so I don't have a simple network list to exclude from the tunnel.</div><div><br></div><div>I will keep looking.....</div><div><br></div><div>Chris. </div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jan 14, 2019 at 5:11 AM Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Chris,<br>
<br>
> So it<br>
> almost seems like the StrongSwan client is blocking traffic while the<br>
> VPN connection is being built (after phase 1).<br>
<br>
It does. If there is an app or IP address that should bypass the VPN,<br>
configure it in the advanced VPN profile settings.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div>
</blockquote></div>