[strongSwan] Android client problems - possible bugs found

Mark M mark076h at yahoo.com
Wed Sep 26 07:26:27 CEST 2012


I was reading that you can send a DNS server to use with the attr plugin. Would the android client be able to use that DNS attribute and override the one set on the phone?


 From: Tobias Brunner <tobias at strongswan.org>
To: Mark M <mark076h at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Monday, September 24, 2012 5:07 AM
Subject: Re: [strongSwan] Android client problems - possible bugs found
Hi Mark,

> Now I have noticed some strange behavior. When i go to a website it
> takes a very long time to even start loading. I setup Wireshark for my
> gateway and noticed that my client sends many DNS requests for the site,
> these are multiple IPv6(AAAA) requests, sometimes 5-10 before the site
> starts to load. I think this is the problem. Now I am not sure if this
> is a problem with my phone and Verizon network or something wrong with
> the strongSwan android client, any ideas?

Not really.  Are all queries for the same name?  Do you see the response
before the client sends another query?  Perhaps the resolver has a very
low timeout, or it is really the browser that does DNS prefetching or

> Also, is there a way to have the client auto connect when a network
> connection is present. Is that possible with any android vpn client?

No currently not.  On the todo list are support for roaming (e.g. from
3G to Wifi) and also a reconnect feature (e.g. if the connectivity is
gone for a longer period).  Not sure if an auto-connect feature is
possible.  Implementing auto-connect is harder as the app has to be
started at least once (perhaps a widget could help here, which is
another item on the todo list).  Also, Android will show that
confirmation dialog to allow the app to setup the VPN initially.

> Also a strange thing is that it sends to the gateway requests for every
> CA cert stored on the Android phone. My Galaxy S3 comes with about 120
> trusted CA certs and during the IKE it sends requests to the gateway for
> each one. On my gateway log file it reads "received 119 cert requests
> for an unkown CA" after that it uses the correct one. Is that some kind
> of bug with the android client?

That's the normal behavior if "Select automatically" is enabled under
"CA certificate" for the VPN profile.  As the app does not known which
CA signed the gateway's certificate it loads all available CA
certificates and also sends a certificate request for them.  To avoid
this you can disable that option and select the proper CA certificate

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120925/fdfb1cab/attachment.html>

More information about the Users mailing list