[strongSwan] Same config for strongSwan, different outcome between Android and iOS

Laurens Vets laurens at daemon.be
Mon Jul 4 23:30:56 CEST 2016


Hi Tobias,

>> openssl:
>> ...
>>      DH:ECP_256
>> ...
> 
> Ah yes.  It's because the default IKE proposal in versions before 5.4.0
> listed ECP_256 after MODP_2048 and the server always preferred its own
> proposals (this can be changed with the upcoming 5.5.0 release).  So it
> insists on using MODP_2048 even if it supports ECP_256.

I can just ignore this for now?

>> I've added 'fragmentation=yes' to the server, same issue.
> 
> Please have a look at the client log.  Does it send an IKE_AUTH 
> message?
>  Is it fragmented?  If so, check with Wireshark/tcpdump on the server
> whether any packets arrive.

I can send log files from working & non working sessions.

>> and the Android phone (which almost always fails)
> 
> What do you mean "almost always"?

It works _sometimes_. From my point of view, there's nothing different 
between when it works and when it doesn't work... What is strange here 
is that using my iPhone on my home wifi always works. Using Android (I 
have 2 Android different phones, same issue), this rarely works.

I've lowered the MTU in the strongSwan app to 1300, same situation.

>> How can I select the correct CA certificate in the strongSwan Android
>> client?
> 
> In the VPN profile, deselect automatic CA selection and then select the
> certificate yourself.

Got it.



More information about the Users mailing list