[strongSwan] ipsec.conf strongswan.conf on Android

Peter Hsiang phsiang at nvidia.com
Thu May 29 00:44:56 CEST 2014

Hi Tobias,

Another method of building the command line strongswan I tried is using the Android NDK gcc tools.  This can be done completely standalone without the Android/kernel source code.  This uses the Makefile instead of Android.mk.  However, for the ARM platform, this method encountered an issue of not having the "getpass()" function in the ARM gcc library.  This call is invoked from strongswan/src/pki/pki.c.  I see in other places of the source, this call can be replaced by adding #ifdef HAVE_GEPTASS to replace 'secret = getpass(buf);' with 'secret = "";'   Is this the right thing to do?  I did not have this issue when building with Android.mk.  

Is the Android.mk generated from the Makefile or was it created separately, and has a very different build configuration?
i.e. the Android.mk is designed to build the command line strongswan and not the GUI JNI variant, right?

So, seems there are potentially 3 ways to build strongswan:
1) Build as command line app, with the Android build flow, using Android.mk 
2) Build as command line app, with Android NDK gnu tools, using Makefile
3) Build as Android GUI app, but it cannot run the command line strongswan's configuration files.

Between the command line strongswan (for Linux) and the Android GUI strongswan (for Android), is there any difference between them that would make porting the command line version to Android difficult?  For example, Android does not have the /lib/modules/...kernel/ directory.  The equivalent is in /system/lib/modules/ on Android.


-----Original Message-----
From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Peter Hsiang
Sent: Wednesday, May 28, 2014 10:31 AM
To: Tobias Brunner; users at lists.strongswan.org
Subject: Re: [strongSwan] ipsec.conf strongswan.conf on Android

Hi Tobias,

Thanks for your help.  
Yes I am running this on a rooted device, with full access to modify the kernel.  I have rebuilt the kernel to include the missing modules (xfrm_algo.ko, ah4.ko, ipcomp.io, xfrm4_tunnel.ko, xfrm_user.ko, and statically af_key and esp4 are built-in).

I used the strongswan-1.5.2 source.  Then copied over the missing file src/libimcv/Android.mk from git checkout of 5.1.2RC1 code base.

The way I build it is by building the Android source code.  Place the strongswan-1.5.2 directory under Android's external/ directory.  Then use the Android's make command from external/strongswan-1.5.2/ directory.  That would place the ipsec binaries to the install directory, then go back to the top level and do a make to package the ipsec binaries to a flashable Android image.  This build process however, does not install the ipsec.conf, strongswan.conf, ipsec.d, strongswan.d directories the way that the desktop Ubuntu Linux strongswan build would.  I had to manually copy those configuration files into the target device after flashing the Android image.  

On the Ubuntu desktop strongswan build using traditional make, it would build several .ko's for the plugins.  The Android build does not build any of those.  Are they statically built into the libcharon.ko, or it is not setup correctly so it does not build?

I'd like to get the command line strongswan to run on Android first so I can leverage the existing ipsec.conf strongswan.conf configurations files.

Going the GUI APK path, the ipsec libs are entirely userspace and it does not use any of the kernel space ipsec libs right?
How do we go about porting the settings in the configuration files to the GUI APK environment?


-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Wednesday, May 28, 2014 9:49 AM
To: Peter Hsiang; users at lists.strongswan.org
Subject: Re: [strongSwan] ipsec.conf strongswan.conf on Android

Hi Peter,

> I have compiled the strongswan source using the Android (ARM) make 
> system (using Android.mk instead of the Linux autoconf Makefiles) with 
> the intent of running it on Android the same way like it does on an 
> Ubuntu PC.

Unless you run strongSwan on a rooted device (possibly with a modified kernel, as some kernels missed required modules) this won't work because the IKE daemon will not be able to access the kernel's IPsec stack.  You could perhaps try to use the kernel-libipsec backend but you'll still need root permission to create TUN devices.

> However, if in the stronswan.conf, we set load_modular = yes, then 
> regardless of what is in strongswan.d/* it would crash when starting it
> with "ipsec start".   If we set load_modular = no, then it won't crash,
> but no plugins.

I can't reproduce either one of these issues.  What codebase did you use?

> Is it possible to run strongswan ipsec on Android using the command 
> line ipsec and configuration files?

Theoretically, yes.  But due to the limitations mentioned above it's definitely not the recommended way of building/using it anymore on Android.

> Is the ipsec.conf configuration files method compatible with the 
> Android GUI apk?


> Looking at $TOP/external/strongswan-5.1.2/src/libcharon/Android.mk,
> where it adds all the plugin source file, it does not seem to build 
> any of the plugins under the plugin directory.  Any idea what is missing?

How exactly are you building strongSwan?


This email message is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list