[strongSwan] Issues with StrongSwan Android client and Azure MFA
Chris Sherry
smilinjoe at gmail.com
Tue Mar 3 04:09:21 CET 2020
I am picking this project up now that I can use split tunneling, but I am
running into another issue. I am trying to exclude the MS/Azure
Authenticator app from using the VPN. Without it excluded, I get the push
notification, but there is no place to approve the MFA request. With it
excluded, everything works fine. The issue I am having is I can manually
pick the app and exclude it, but if I make it part of a profile to import,
it doesn't work. This is my syntax:
{
"uuid": "7129d5ec-fac8-4665-9856-6cfa81d01398",
"name": blah",
"type": "ikev2-eap",
"remote": {
"addr": "vpn.blah.com",
"cert": "blah-root-ca",
"certreq": "false"
},
"split-tunneling": {
"subnets": "10.0.0.0/8 172.16.0.0/12"
},
"excluded-apps": "com.azure.authenticator"
}
Is there a way to export a working profile? That would be awesome.
Thanks,
Chris.
On Thu, Jan 24, 2019 at 3:12 AM Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Chris,
>
> >> So my question to you is why is the route being injected BEFORE the
> >> tunnel is fully authenticated?
> >
> > It isn't. However, that MFA you use isn't integrated into the IKE
> > authentication. So for the IKE client (and server) the IKE_SA is
> > established successfully. I guess if the MFA fails or times out the
> > server would just terminate the previously established SA.
>
> Actually, from what I read, this is implemented via RADIUS. So it is
> integrated into the IKE authentication. The route you are referring to
> is probably the one we install to avoid traffic leaks while the VPN is
> established (this happens even before the first message is sent).
> However, if you exclude the MFA app it should be excluded from that
> initial route as well. Make sure you don't have Android's system-wide
> traffic block enabled, though. As that block all traffic if no VPN is
> established (i.e. there is no split-tunneling).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200302/3ccb0402/attachment.html>
More information about the Users
mailing list