[strongSwan] Android/Stongswan Integration

Tobias Brunner tobias at strongswan.org
Tue Nov 15 17:52:15 CET 2011

Hello Zhen,

> I have been trying to bring Strongswan 4.5.3 to Android

If possible, you should update to 4.6.1 as there are several Android
related improvements included in that release.

> 1. When I ran charon in adb shell, it started, but said: "android plugin
> failed to load, can't open android control socket".

That's because the control socket is only available, if charon gets
started by the patched Android VPN GUI.  With 4.6.1 it's possible to use
the plugin even if charon is not started by the GUI.

> I did some search, the android plugin is something related to DNS.

That's correct it installs DNS servers received from the gateway where
Android expects them to be (there is no resolv.conf on Android).

> Question: do i have to to enable this plugin for VPN to work on the
> emulator?

Only if you need DNS servers installed, or logging via logcat.  These
are currently the only two functions provided by the plugin, which are
usable without GUI patch.

> If so, i did some ./configure --enable-android, it failed
> because it couldn't find a requied lib. 

Running ./configure won't work.  To enable/disable plugins you have to
edit the plugin list in the top Android.mk within the strongSwan source
tree.  But the plugin is enabled anyway, by default, it just can't be
loaded without the control socket provided by the frontend in 4.5.3.

> 2. In the frontend integration site, it says it needs CA assigned certs,
> quoted below.
> Question: Does the certificate have to be issued by CA? Would
> self-assigned certificate work? I am just playing with it and wouldn't
> want to spend $1500 to buy one from verisign. :( 

Don't worry :)  You can absolutely build your own CA (e.g. with the
ipsec pki tool [1]).  Just make sure you install the CA certificate in
the Android certificate store as described on the page you quoted.  Then
use this CA to issue a certificate for the gateway you want to test against.

With 4.6.1 you now have also the option to build starter and stroke
which allows you to use an ipsec.conf based configuration, instead of
using the frontend patch.


[1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

More information about the Users mailing list