[strongSwan] Issues with StrongSwan Android client and Azure MFA

Tobias Brunner tobias at strongswan.org
Thu Jan 24 09:17:27 CET 2019

Hi Chris,

> Even if I
> exclude the app from the VPN, it still has to follow the routing table,
> correct? There aren't separate tables for the VPN and things excluded,
> right?

No there are.  That's exactly how this exclusion is implemented (policy
routing, marks etc.).  When an app is excluded from the VPN it uses the
"default" routing table and is not affected by routes installed by the
VPN app.

> So my question to you is why is the route being injected BEFORE the
> tunnel is fully authenticated?

It isn't.  However, that MFA you use isn't integrated into the IKE
authentication.  So for the IKE client (and server) the IKE_SA is
established successfully.  I guess if the MFA fails or times out the
server would just terminate the previously established SA.


More information about the Users mailing list