[strongSwan] ipsec.conf strongswan.conf on Android

Wed May 28 19:31:11 CEST 2014

Hi Tobias,

Thanks for your help.  
Yes I am running this on a rooted device, with full access to modify the kernel.  I have rebuilt the kernel to include the missing modules (xfrm_algo.ko, ah4.ko, ipcomp.io, xfrm4_tunnel.ko, xfrm_user.ko, and statically af_key and esp4 are built-in).

I used the strongswan-1.5.2 source.  Then copied over the missing file src/libimcv/Android.mk from git checkout of 5.1.2RC1 code base.

The way I build it is by building the Android source code.  Place the strongswan-1.5.2 directory under Android's external/ directory.  Then use the Android's make command from external/strongswan-1.5.2/ directory.  That would place the ipsec binaries to the install directory, then go back to the top level and do a make to package the ipsec binaries to a flashable Android image.  This build process however, does not install the ipsec.conf, strongswan.conf, ipsec.d, strongswan.d directories the way that the desktop Ubuntu Linux strongswan build would.  I had to manually copy those configuration files into the target device after flashing the Android image.  

On the Ubuntu desktop strongswan build using traditional make, it would build several .ko's for the plugins.  The Android build does not build any of those.  Are they statically built into the libcharon.ko, or it is not setup correctly so it does not build?

I'd like to get the command line strongswan to run on Android first so I can leverage the existing ipsec.conf strongswan.conf configurations files.

Going the GUI APK path, the ipsec libs are entirely userspace and it does not use any of the kernel space ipsec libs right?
How do we go about porting the settings in the configuration files to the GUI APK environment?

Thanks,
Peter

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Wednesday, May 28, 2014 9:49 AM
To: Peter Hsiang; users at lists.strongswan.org
Subject: Re: [strongSwan] ipsec.conf strongswan.conf on Android

Hi Peter,

> I have compiled the strongswan source using the Android (ARM) make 
> system (using Android.mk instead of the Linux autoconf Makefiles) with 
> the intent of running it on Android the same way like it does on an 
> Ubuntu PC.

Unless you run strongSwan on a rooted device (possibly with a modified kernel, as some kernels missed required modules) this won't work because the IKE daemon will not be able to access the kernel's IPsec stack.  You could perhaps try to use the kernel-libipsec backend but you'll still need root permission to create TUN devices.

> However, if in the stronswan.conf, we set load_modular = yes, then 
> regardless of what is in strongswan.d/* it would crash when starting it
> with "ipsec start".   If we set load_modular = no, then it won't crash,
> but no plugins.

I can't reproduce either one of these issues.  What codebase did you use?

> Is it possible to run strongswan ipsec on Android using the command 
> line ipsec and configuration files?

Theoretically, yes.  But due to the limitations mentioned above it's definitely not the recommended way of building/using it anymore on Android.

> Is the ipsec.conf configuration files method compatible with the 
> Android GUI apk?

No.

> Looking at $TOP/external/strongswan-5.1.2/src/libcharon/Android.mk,
> where it adds all the plugin source file, it does not seem to build 
> any of the plugins under the plugin directory.  Any idea what is missing?

How exactly are you building strongSwan?

Regards,
Tobias

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information.  Any unauthorized review, use, disclosure or distribution
is prohibited.  If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------