[strongSwan] Android/Stongswan Integration

Andreas Steffen andreas.steffen at strongswan.org
Sun Nov 20 15:36:42 CET 2011

Hello Zhen,

the actual error is

 I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
 I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed

if you have a strongswan.conf file on your Android platform
please add the entry

libstrongswan {
  x509 {
    enforce_critical = no

You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.



On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias, 
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully. 
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it: 
> the logcat is giving me the foloowing errors:
> D/SProxy_charon(  351): stopping charon, success? true
> D/VpnService(  351):   Local IP:, if: eth0
> D/VpnService(  351):        VPN UP: down
> I/SProxy_charon(  351): Start VPN daemon: charon
> D/SProxy_charon(  351): charon is running after 0 msec
> D/SProxy_charon(  351): service not yet listen()ing; try again
> I/charon  (  362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5 
> I/charon  (  362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon  (  362): 00[JOB] spawning 16 worker threads
> I/keystore(   37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
> I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon  (  362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon  (  362): 07[CFG] failed to load CA certificate
> I/charon  (  362): 07[CFG] using CA certificate, gateway identitiy
> ''
> I/charon  (  362): 07[CFG] status of Android plugin changed: 4
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.  
> Is that because the way I created the CA cert? or something is missing
> in the Android charon? 
> thanks!
> -zhen
> ------------------------------------------------------------------------
> *From:* Tobias Brunner <tobias at strongswan.org>
> *To:* zhen chen <zchen2711 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
> Hello Zhen,
>> I have been trying to bring Strongswan 4.5.3 to Android
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed to load, can't open android control socket".
> That's because the control socket is only available, if charon gets
> started by the patched Android VPN GUI.  With 4.6.1 it's possible to use
> the plugin even if charon is not started by the GUI.
>> I did some search, the android plugin is something related to DNS.
> That's correct it installs DNS servers received from the gateway where
> Android expects them to be (there is no resolv.conf on Android).
>> Question: do i have to to enable this plugin for VPN to work on the
>> emulator?
> Only if you need DNS servers installed, or logging via logcat.  These
> are currently the only two functions provided by the plugin, which are
> usable without GUI patch.
>> If so, i did some ./configure --enable-android, it failed
>> because it couldn't find a requied lib.
> Running ./configure won't work.  To enable/disable plugins you have to
> edit the plugin list in the top Android.mk <http://Android.mk> within
> the strongSwan source
> tree.  But the plugin is enabled anyway, by default, it just can't be
> loaded without the control socket provided by the frontend in 4.5.3.
>> 2. In the frontend integration site, it says it needs CA assigned certs,
>> quoted below.
>> Question: Does the certificate have to be issued by CA? Would
>> self-assigned certificate work? I am just playing with it and wouldn't
>> want to spend $1500 to buy one from verisign. :(
> Don't worry :)  You can absolutely build your own CA (e.g. with the
> ipsec pki tool [1]).  Just make sure you install the CA certificate in
> the Android certificate store as described on the page you quoted.  Then
> use this CA to issue a certificate for the gateway you want to test against.
> With 4.6.1 you now have also the option to build starter and stroke
> which allows you to use an ipsec.conf based configuration, instead of
> using the frontend patch.
> Regards,
> Tobias
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list