[strongSwan] Android client problems - possible bugs found

Mark M mark076h at yahoo.com
Tue Sep 25 10:05:39 CEST 2012


Tobias,  

About the DNS problem, They are all queries for the same name. The first quey is IPv6(AAAA) then the next 3-4, sometimes more are for A record. It does this for every site, also it does not appear to be cached as going to the same page will go through this process again. The DNS request goes out to a Verizon DNS server so I think I will try rooting my phone and using a DNS app to change the DNS and see if that fixes it.




________________________________
 From: Tobias Brunner <tobias at strongswan.org>
To: Mark M <mark076h at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Monday, September 24, 2012 5:07 AM
Subject: Re: [strongSwan] Android client problems - possible bugs found
 
Hi Mark,

> Now I have noticed some strange behavior. When i go to a website it
> takes a very long time to even start loading. I setup Wireshark for my
> gateway and noticed that my client sends many DNS requests for the site,
> these are multiple IPv6(AAAA) requests, sometimes 5-10 before the site
> starts to load. I think this is the problem. Now I am not sure if this
> is a problem with my phone and Verizon network or something wrong with
> the strongSwan android client, any ideas?

Not really.  Are all queries for the same name?  Do you see the response
before the client sends another query?  Perhaps the resolver has a very
low timeout, or it is really the browser that does DNS prefetching or
something.

> Also, is there a way to have the client auto connect when a network
> connection is present. Is that possible with any android vpn client?

No currently not.  On the todo list are support for roaming (e.g. from
3G to Wifi) and also a reconnect feature (e.g. if the connectivity is
gone for a longer period).  Not sure if an auto-connect feature is
possible.  Implementing auto-connect is harder as the app has to be
started at least once (perhaps a widget could help here, which is
another item on the todo list).  Also, Android will show that
confirmation dialog to allow the app to setup the VPN initially.

> Also a strange thing is that it sends to the gateway requests for every
> CA cert stored on the Android phone. My Galaxy S3 comes with about 120
> trusted CA certs and during the IKE it sends requests to the gateway for
> each one. On my gateway log file it reads "received 119 cert requests
> for an unkown CA" after that it uses the correct one. Is that some kind
> of bug with the android client?

That's the normal behavior if "Select automatically" is enabled under
"CA certificate" for the VPN profile.  As the app does not known which
CA signed the gateway's certificate it loads all available CA
certificates and also sends a certificate request for them.  To avoid
this you can disable that option and select the proper CA certificate
manually.

Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120925/e9fe11a4/attachment.html>


More information about the Users mailing list