[strongSwan] Android 11 IKEv2/IPsec PSK and swanctl
strongswan at isuldor.com
strongswan at isuldor.com
Wed Dec 2 02:50:13 CET 2020
The ultimate issue was that Android also expects the server to
authenticate using a pre-shared key, rather than just the certificate.
So the correct configuration would have auth=psk under the local
section, as well a matching server id under the ike secrets.
More notes on this here: https://serverfault.com/q/1044090/70156
The caveat was that this exlusively worked on 5.9.0 for me. I was not
able to reproduce the success with 5.7.2. Probably some syntax
difference, I'm assuming.
On Wed, Nov 18, 2020 at 11:15:10PM +0000, strongswan at isuldor.com wrote:
> $ swanctl --version
> strongSwan swanctl 5.9.0
>
> $ cat /etc/swanctl/conf.d/android11.conf
> connections {
> rw-isuldor {
> local_addrs = moon.isuldor.com
> pools = android11_pool
> send_cert = always
> local {
> auth = pubkey
> certs = moon.pem
> id = moon.isuldor.com
> }
> remote {
> auth = psk
> id = strongswan at isuldor.com
> }
> children {
> moon {
> local_ts = 0.0.0.0/0
> }
> }
> }
> }
> secrets {
> ike-isuldor {
> id_isuldor = strongswan at isuldor.com
> secret = hunter2
> }
> }
More information about the Users
mailing list