[strongSwan] New Android update option - how to best exploit?

Tobias Brunner tobias at strongswan.org
Tue Jul 4 10:49:36 CEST 2017

Hi Karl,

> What would be the /least /traffic-generating option for its use?  In
> other words /exactly what either has to be on the client -- or sent from
> the server -- for that switch to work?/

The least traffic you get if you import the server certificate into the
app and configure `leftsendcert=ifasked` (the default, `never` also
works) on the server and then either disable the new option or
explicitly select the server certificate as trusted certificate in the
profile (that already worked in the older versions of the app).  Then no
certificate request or certificate will be exchanged at all (unless you
use client certs and the server sent a certificate request).

If you want to use the CA certificate instead of the server certificate
on the client (in that case the server certificate has to be
transmitted) either select that CA certificate in the profile (only one
certificate request for that particular CA is then sent) or configure
`leftsendcert=always` on the server and disable the new option in the
profile then you don't have to select the CA cert (you still can to only
trust that CA) and no certificate requests will be sent.

>  Scratch that -- I don't know exactly how I got traffic to  route down the VPN in the past from a tethered client, but it's not doing it now..... so unless I can figure that out again the second part of the query is worthless.

As far as I know tethering on Android does not work with VPNs unless you
manually (or with an app) change the routing/firewall rules, which only
works on rooted devices.


More information about the Users mailing list