[strongSwan] Issues with StrongSwan Android client and Azure MFA
Tobias Brunner
tobias at strongswan.org
Thu Jan 24 09:17:27 CET 2019
Hi Chris,
> Even if I
> exclude the app from the VPN, it still has to follow the routing table,
> correct? There aren't separate tables for the VPN and things excluded,
> right?
No there are. That's exactly how this exclusion is implemented (policy
routing, marks etc.). When an app is excluded from the VPN it uses the
"default" routing table and is not affected by routes installed by the
VPN app.
> So my question to you is why is the route being injected BEFORE the
> tunnel is fully authenticated?
It isn't. However, that MFA you use isn't integrated into the IKE
authentication. So for the IKE client (and server) the IKE_SA is
established successfully. I guess if the MFA fails or times out the
server would just terminate the previously established SA.
Regards,
Tobias
More information about the Users
mailing list