[strongSwan] Same config for strongSwan, different outcome between Android and iOS
Tobias Brunner
tobias at strongswan.org
Thu Jun 30 10:06:15 CEST 2016
Hi Laurens,
> openssl:
> ...
> DH:ECP_256
> ...
Ah yes. It's because the default IKE proposal in versions before 5.4.0
listed ECP_256 after MODP_2048 and the server always preferred its own
proposals (this can be changed with the upcoming 5.5.0 release). So it
insists on using MODP_2048 even if it supports ECP_256.
> I've added 'fragmentation=yes' to the server, same issue.
Please have a look at the client log. Does it send an IKE_AUTH message?
Is it fragmented? If so, check with Wireshark/tcpdump on the server
whether any packets arrive.
> and the Android phone (which almost always fails)
What do you mean "almost always"?
> How can I select the correct CA certificate in the strongSwan Android
> client?
In the VPN profile, deselect automatic CA selection and then select the
certificate yourself.
Regards,
Tobias
More information about the Users
mailing list