[strongSwan] New Android update option - how to best exploit?

Tobias Brunner tobias at strongswan.org
Wed Jul 5 09:47:12 CEST 2017


Hi Karl,

> Except that I can't install the server's certificate into Android's
> storage (whether from the base "Security" tab or in the StrongSwan
> client); it refuses and says there's no certificate it can import.

If you tried the import option in the CA certificate view of the app and
it doesn't show up, the mime-type is probably not set correctly (if it
is set correctly the strongSwan app should actually show up when trying
to open that file e.g. in the Downloads app).  If it does show up in the
file browser but the import fails, the file might be corrupt.

> There's no "trusted" certificate option that I can find either in the
> VPN setup on the StrongSwan Android client -- just the selection for
> which CA cert to use (either automatic selection or you can pick from
> the installed and trusted certificates.)

That's the one.  After you imported the server cert into the app you can
select it as a "CA certificate" (you basically set the certificate to
use as trust anchor during authentication).

> Going to ECDSA
> from an RSA certificate cut the fragments to 2 from 3, but I can't get
> it to "1", which would remove the fragmentation problem with connection
> setup.

Are you talking about IKE or IP fragments?  How big is the IKE_AUTH
response?

> Then of course there's the base Windows VPN
> security issues to start with (e.g. the proposals it supports and such
> -- or more to the point, the ones it doesn't) which, frankly leave me in
> awe that our government appears at first blush to use it for
> rather-secure things (or do they?)

There is a registry key you can enable so it proposes a slightly better
DH group [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048


More information about the Users mailing list