[strongSwan] Issues with StrongSwan Android client and Azure MFA

Chris Sherry smilinjoe at gmail.com
Tue Jan 15 03:59:44 CET 2019


Tobias,

The only way I can get it to work is by split-tunneling, which isn't an
option for me. My only guess is the challenge provider can't update the IP
of the client fast enough. The challenge always comes through as soon as
the tunnel gets torn down.

On Mon, Jan 14, 2019 at 1:39 PM Chris Sherry <smilinjoe at gmail.com> wrote:

> Tobias,
>
> So I have tried excluding Microsoft Authenticator from the VPN (with the
> advanced settings), but I get the same result. On a whim I tried allowing
> only Chrome to use the VPN. That allowed me to connect, but from Chrome I
> couldn't get to any internal websites. Plus that really wouldn't be a
> feasible solution as people are going to want to use many different (and
> unknown to me) apps on the VPN. Is there another Android subsystem that
> needs access as well besides the authenticator? The other piece that
> complicates this is the MFA challenge comes from Azure, so I don't have a
> simple network list to exclude from the tunnel.
>
> I will keep looking.....
>
> Chris.
>
> On Mon, Jan 14, 2019 at 5:11 AM Tobias Brunner <tobias at strongswan.org>
> wrote:
>
>> Hi Chris,
>>
>> > So it
>> > almost seems like the StrongSwan client is blocking traffic while the
>> > VPN connection is being built (after phase 1).
>>
>> It does.  If there is an app or IP address that should bypass the VPN,
>> configure it in the advanced VPN profile settings.
>>
>> Regards,
>> Tobias
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190114/c3518232/attachment.html>


More information about the Users mailing list