[strongSwan] Issues with StrongSwan Android client and Azure MFA

Tobias Brunner tobias at strongswan.org
Thu Jan 24 10:12:17 CET 2019

Hi Chris,

>> So my question to you is why is the route being injected BEFORE the
>> tunnel is fully authenticated?
> It isn't.  However, that MFA you use isn't integrated into the IKE
> authentication.  So for the IKE client (and server) the IKE_SA is
> established successfully.  I guess if the MFA fails or times out the
> server would just terminate the previously established SA.

Actually, from what I read, this is implemented via RADIUS.  So it is
integrated into the IKE authentication.  The route you are referring to
is probably the one we install to avoid traffic leaks while the VPN is
established (this happens even before the first message is sent).
However, if you exclude the MFA app it should be excluded from that
initial route as well.  Make sure you don't have Android's system-wide
traffic block enabled, though.  As that block all traffic if no VPN is
established (i.e. there is no split-tunneling).


More information about the Users mailing list