[strongSwan] Same config for strongSwan, different outcome between Android and iOS

Tobias Brunner tobias at strongswan.org
Thu Jun 30 10:06:15 CEST 2016

Hi Laurens,

> openssl:
> ...
>      DH:ECP_256
> ...

Ah yes.  It's because the default IKE proposal in versions before 5.4.0
listed ECP_256 after MODP_2048 and the server always preferred its own
proposals (this can be changed with the upcoming 5.5.0 release).  So it
insists on using MODP_2048 even if it supports ECP_256.

> I've added 'fragmentation=yes' to the server, same issue.

Please have a look at the client log.  Does it send an IKE_AUTH message?
 Is it fragmented?  If so, check with Wireshark/tcpdump on the server
whether any packets arrive.

> and the Android phone (which almost always fails)

What do you mean "almost always"?

> How can I select the correct CA certificate in the strongSwan Android 
> client?

In the VPN profile, deselect automatic CA selection and then select the
certificate yourself.


More information about the Users mailing list