[strongSwan] Issues with StrongSwan Android client and Azure MFA

Chris Sherry smilinjoe at gmail.com
Tue Mar 3 04:09:21 CET 2020

I am picking this project up now that I can use split tunneling, but I am
running into another issue. I am trying to exclude the MS/Azure
Authenticator app from using the VPN. Without it excluded, I get the push
notification, but there is no place to approve the MFA request. With it
excluded, everything works fine. The issue I am having is I can manually
pick the app and exclude it, but if I make it part of a profile to import,
it doesn't work. This is my syntax:

    "uuid": "7129d5ec-fac8-4665-9856-6cfa81d01398",
    "name": blah",
    "type": "ikev2-eap",
    "remote": {
        "addr": "vpn.blah.com",
        "cert": "blah-root-ca",
        "certreq": "false"
    "split-tunneling": {
       "subnets": ""
    "excluded-apps": "com.azure.authenticator"

Is there a way to export a working profile? That would be awesome.


On Thu, Jan 24, 2019 at 3:12 AM Tobias Brunner <tobias at strongswan.org>

> Hi Chris,
> >> So my question to you is why is the route being injected BEFORE the
> >> tunnel is fully authenticated?
> >
> > It isn't.  However, that MFA you use isn't integrated into the IKE
> > authentication.  So for the IKE client (and server) the IKE_SA is
> > established successfully.  I guess if the MFA fails or times out the
> > server would just terminate the previously established SA.
> Actually, from what I read, this is implemented via RADIUS.  So it is
> integrated into the IKE authentication.  The route you are referring to
> is probably the one we install to avoid traffic leaks while the VPN is
> established (this happens even before the first message is sent).
> However, if you exclude the MFA app it should be excluded from that
> initial route as well.  Make sure you don't have Android's system-wide
> traffic block enabled, though.  As that block all traffic if no VPN is
> established (i.e. there is no split-tunneling).
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200302/3ccb0402/attachment.html>

More information about the Users mailing list