[strongSwan] Android 11 IKEv2/IPsec PSK and swanctl

strongswan at isuldor.com strongswan at isuldor.com
Wed Dec 2 02:50:13 CET 2020


The ultimate issue was that Android also expects the server to
authenticate using a pre-shared key, rather than just the certificate.
So the correct configuration would have auth=psk under the local
section, as well a matching server id under the ike secrets.

More notes on this here: https://serverfault.com/q/1044090/70156

The caveat was that this exlusively worked on 5.9.0 for me. I was not
able to reproduce the success with 5.7.2. Probably some syntax
difference, I'm assuming.


On Wed, Nov 18, 2020 at 11:15:10PM +0000, strongswan at isuldor.com wrote:
> $ swanctl --version
> strongSwan swanctl 5.9.0
> 
> $ cat /etc/swanctl/conf.d/android11.conf
> connections {
>     rw-isuldor {
>         local_addrs = moon.isuldor.com
>         pools = android11_pool
>         send_cert = always
>         local {
>             auth = pubkey
>             certs = moon.pem
>             id = moon.isuldor.com
>         }
>         remote {
>             auth = psk
>             id = strongswan at isuldor.com
>         }
>         children {
>             moon {
>                 local_ts  = 0.0.0.0/0
>             }
>         }
>     }
> }
> secrets {
>     ike-isuldor {
>         id_isuldor = strongswan at isuldor.com
>         secret = hunter2
>     }
> }


More information about the Users mailing list