Re: [strongSwan] Android/Stongswan Integration
Hello Zhen, > I have been trying to bring Strongswan 4.5.3 to Android If possible, you should update to 4.6.1 as there are several Android related improvements included in that release. > 1. When I ran charon in adb shell, it started, but said: "android plugin > failed to load, can't open android control socket". That's because the control socket is only available, if charon gets started by the patched Android VPN GUI. With 4.6.1 it's possible to use the plugin even if charon is not started by the GUI. > I did some search, the android plugin is something related to DNS. That's correct it installs DNS servers received from the gateway where Android expects them to be (there is no resolv.conf on Android). > Question: do i have to to enable this plugin for VPN to work on the > emulator? Only if you need DNS servers installed, or logging via logcat. These are currently the only two functions provided by the plugin, which are usable without GUI patch. > If so, i did some ./configure --enable-android, it failed > because it couldn't find a requied lib. Running ./configure won't work. To enable/disable plugins you have to edit the plugin list in the top Android.mk within the strongSwan source tree. But the plugin is enabled anyway, by default, it just can't be loaded without the control socket provided by the frontend in 4.5.3. > 2. In the frontend integration site, it says it needs CA assigned certs, > quoted below. > Question: Does the certificate have to be issued by CA? Would > self-assigned certificate work? I am just playing with it and wouldn't > want to spend $1500 to buy one from verisign. :( Don't worry :) You can absolutely build your own CA (e.g. with the ipsec pki tool [1]). Just make sure you install the CA certificate in the Android certificate store as described on the page you quoted. Then use this CA to issue a certificate for the gateway you want to test against. With 4.6.1 you now have also the option to build starter and stroke which allows you to use an ipsec.conf based configuration, instead of using the frontend patch. Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
Hi Tobias, I followed the procedure to create the CA certificate and imported it to the Android emulator successfully. Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in the emulator. Then tried to connect to it: the logcat is giving me the foloowing errors: D/SProxy_charon( 351): stopping charon, success? true D/VpnService( 351): Local IP: 10.0.2.15, if: eth0 D/VpnService( 351): VPN UP: down I/SProxy_charon( 351): Start VPN daemon: charon D/SProxy_charon( 351): charon is running after 0 msec D/SProxy_charon( 351): service not yet listen()ing; try again I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running I/charon ( 362): 00[JOB] spawning 16 worker threads I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4 I/charon ( 362): 07[LIB] found unsupported critical X.509 extension I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed, tried 2 builders I/charon ( 362): 07[CFG] failed to load CA certificate I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy '192.168.121.102' I/charon ( 362): 07[CFG] status of Android plugin changed: 4 Now it seems like Android is not able to load the certificate I created using ipsec pki. Is that because the way I created the CA cert? or something is missing in the Android charon? thanks! -zhen From: Tobias Brunner To: zhen chen Cc: "users@lists.strongswan.org" Sent: Tuesday, November 15, 2011 9:52 AM Subject: Re: [strongSwan] Android/Stongswan Integration Hello Zhen, > I have been trying to bring Strongswan 4.5.3 to Android If possible, you should update to 4.6.1 as there are several Android related improvements included in that release. > 1. When I ran charon in adb shell, it started, but said: "android plugin > failed to load, can't open android control socket". That's because the control socket is only available, if charon gets started by the patched Android VPN GUI. With 4.6.1 it's possible to use the plugin even if charon is not started by the GUI. > I did some search, the android plugin is something related to DNS. That's correct it installs DNS servers received from the gateway where Android expects them to be (there is no resolv.conf on Android). > Question: do i have to to enable this plugin for VPN to work on the > emulator? Only if you need DNS servers installed, or logging via logcat. These are currently the only two functions provided by the plugin, which are usable without GUI patch. > If so, i did some ./configure --enable-android, it failed > because it couldn't find a requied lib. Running ./configure won't work. To enable/disable plugins you have to edit the plugin list in the top Android.mk within the strongSwan source tree. But the plugin is enabled anyway, by default, it just can't be loaded without the control socket provided by the frontend in 4.5.3. > 2. In the frontend integration site, it says it needs CA assigned certs, > quoted below. > Question: Does the certificate have to be issued by CA? Would > self-assigned certificate work? I am just playing with it and wouldn't > want to spend $1500 to buy one from verisign. :( Don't worry :) You can absolutely build your own CA (e.g. with the ipsec pki tool [1]). Just make sure you install the CA certificate in the Android certificate store as described on the page you quoted. Then use this CA to issue a certificate for the gateway you want to test against. With 4.6.1 you now have also the option to build starter and stroke which allows you to use an ipsec.conf based configuration, instead of using the frontend patch. Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
Hello Zhen,
the actual error is
I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
if you have a strongswan.conf file on your Android platform
please add the entry
libstrongswan {
x509 {
enforce_critical = no
}
}
You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.
Regards
Andreas
On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias,
>
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully.
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it:
>
> the logcat is giving me the foloowing errors:
>
> D/SProxy_charon( 351): stopping charon, success? true
> D/VpnService( 351): Local IP: 10.0.2.15, if: eth0
> D/VpnService( 351):VPN UP: down
> I/SProxy_charon( 351): Start VPN daemon: charon
> D/SProxy_charon( 351): charon is running after 0 msec
> D/SProxy_charon( 351): service not yet listen()ing; try again
> I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5
> I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon ( 362): 00[JOB] spawning 16 worker threads
> I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon ( 362): 07[CFG] failed to load CA certificate
> I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy
> '192.168.121.102'
> I/charon ( 362): 07[CFG] status of Android plugin changed: 4
>
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.
> Is that because the way I created the CA cert? or something is missing
> in the Android charon?
>
> thanks!
> -zhen
>
>
> --------
> *From:* Tobias Brunner
> *To:* zhen chen
> *Cc:* "users@lists.strongswan.org"
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
>
> Hello Zhen,
>
>> I have been trying to bring Strongswan 4.5.3 to Android
>
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
>
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed to load, can't open android control socket".
>
> That's because the control socket is only available, if charon gets
> started by the patched Android VPN GUI. With 4.6.1 it's possible to use
> the plugin even if charon is not started by the GUI.
>
>> I did some search, the android plugin is something related to DNS.
>
> That's correct it installs DNS servers received from the gateway where
> Android expects them to be (there is no resolv.conf on Android).
>
>> Question: do i have to to enable this plugin for VPN to work on the
>> emulator?
>
> Only if you need DNS servers installed, or logging via logcat. These
> are currently the only two functions provided by the plugin, which are
> usable without GUI patch.
>
>> If so, i did some ./configure --enable-android, it failed
>> because it couldn't find a requied lib.
>
> Running ./configure won't work. To enable/disable plugins you have to
> edit the plugin list in the top Android.mk <http://Android.mk> within
> the strongSwan source
> tree. But the plugin is enabled anyway, by default, it just can't be
> loaded without the control socket provided by the frontend in 4.5.3.
>
>> 2. In the frontend integration site, it says it needs CA assigned certs,
>> quoted below.
>> Question: Does the certificate have to be issued by CA? Would
>> self-assigned certificate work? I am just playing with it and wouldn't
>> want to spend $1500 to buy one from verisign. :(
>
> Don't worry :) You can absolutely build your own CA (e.g. with the
> ipsec pki tool [1]). Just make sure you install the CA certificate in
> the Android certificate store as described on the page you quoted. Then
> use this CA to issue a certificate for the gateway you want to test against.
>
> With 4.6.1 you now have al
Re: [strongSwan] Android/Stongswan Integration
,
process not running
I/charon ( 800): 00[JOB] spawning 16 worker threads
I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
I/charon ( 800): 06[CFG] using CA certificate, gateway identitiy
'192.168.121.102'
I/charon ( 800): 06[CFG] status of Android plugin changed: 4
I/SProxy_charon( 351): got data from control socket: 4
I/charon ( 800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102
I/charon ( 800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
I/charon ( 800): 06[NET] sending packet: from 10.0.2.15[500] to
192.168.121.102[500]
I/charon ( 800): 07[NET] received packet: from 192.168.121.102[500] to
10.0.2.15[500]
I/charon ( 800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
I/charon ( 800): 07[IKE] local host is behind NAT, sending keep alives
I/charon ( 800): 07[IKE] received cert request for "C=CH, O=strongSwan,
CN=strongSwan CA"
I/charon ( 800): 07[IKE] received 1 cert requests for an unknown ca
I/charon ( 800): 07[IKE] sending cert request for "C=CH, O=strongSwan,
CN=strongSwan CA"
I/charon ( 800): 07[IKE] establishing CHILD_SA android
I/charon ( 800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
I/charon ( 800): 07[NET] sending packet: from 10.0.2.15[4500] to
192.168.121.102[4500]
I/charon ( 800): 08[NET] received packet: from 192.168.121.102[4500] to
10.0.2.15[4500]
I/charon ( 800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I/charon ( 800): 08[IKE] received AUTHENTICATION_FAILED notify error
____________
From: Andreas Steffen
To: zhen chen
Cc: Tobias Brunner ; "users@lists.strongswan.org"
Sent: Sunday, November 20, 2011 7:36 AM
Subject: Re: [strongSwan] Android/Stongswan Integration
Hello Zhen,
the actual error is
I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
if you have a strongswan.conf file on your Android platform
please add the entry
libstrongswan {
x509 {
enforce_critical = no
}
}
You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.
Regards
Andreas
On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias,
>
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully.
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it:
>
> the logcat is giving me the foloowing errors:
>
> D/SProxy_charon( 351): stopping charon, success? true
> D/VpnService( 351): Local IP: 10.0.2.15, if: eth0
> D/VpnService( 351): VPN UP: down
> I/SProxy_charon( 351): Start VPN daemon: charon
> D/SProxy_charon( 351): charon is running after 0 msec
> D/SProxy_charon( 351): service not yet listen()ing; try again
> I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5
> I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon ( 362): 00[JOB] spawning 16 worker threads
> I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon ( 362): 07[CFG] failed to load CA certificate
> I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy
> '192.168.121.102'
> I/charon ( 362): 07[CFG] status of Android plugin changed: 4
>
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.
> Is that because the way I created the CA cert? or something is missing
> in the Android charon?
>
> thanks!
> -zhen
>
>
>
> *From:* Tobias Brunner
> *To:* zhen chen
> *Cc:* "users@lists.strongswan.org"
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
>
> Hello Zhen,
>
>> I have been trying to bring Strongswan 4.5.3 to Android
>
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
>
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed t
Re: [strongSwan] Android/Stongswan Integration
I think I know this one, I had the same problem. Found the solution in the mailing list itself: strongSwan requires the peer ID to be contained in the certificate (either the complete DN, or as a subjectAltName, a matching CN= is insufficient). In my case the peer ID turned out to be the IP address itself. Federico Fra: users-bounces+federico.mancini=ffi...@lists.strongswan.org [mailto:users-bounces+federico.mancini=ffi...@lists.strongswan.org] På vegne av zhen chen Sendt: 21. november 2011 04:22 Til: Andreas Steffen Kopi: users@lists.strongswan.org Emne: Re: [strongSwan] Android/Stongswan Integration Hi Andreas, I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. Thanks! Now I started from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. Thanks in advance! -Zhen The following is the main error on the GW side: Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found The GW cert DN is: C=CH, O=zhen, CN=emac which I used as the left side id for the gw's ipsec.conf file. The CA cert DN is: C=CH, O=strongSwan, CN=strongSwan CA /etc/ipsec.secrets: ": RSA peerKey.der zhen : EAP "password" " ipsec.conf file in the GW side (note android is the conn to the android phone): "conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn rw right=%any rightid=@192.168.121.101 rightsourceip=%dhcp leftfirewall=yes left=192.168.121.102 leftsubnet=192.168.2.0/24 leftid=@192.168.121.102 auto=add conn android leftsubnet=0.0.0.0/0 leftcert=peerCert1.der leftauth=pubkey leftid="C=CH, O=zhen, CN=emac" right=%any rightsourceip=%dhcp rightauth=eap-mschapv2 rightsendcert=never keyexchange=ikev2 eap_identity=%any auto=add " Gateway log: Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local Nov 20 19:51:30 localhost charon: 08[CFG] loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500] Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500] Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer
Re: [strongSwan] Android/Stongswan Integration
Hi Tobias, If I used 4.6.1, is there any special configuration I need to enable to build the starter and stroke when I build the Android? I assume I wouldn't need to apply any of the three frontend patches any more? thanks! Zhen "With 4.6.1 you now have also the option to build starter and stroke which allows you to use an ipsec.conf based configuration, instead of using the frontend patch." From: Tobias Brunner To: zhen chen Cc: "users@lists.strongswan.org" Sent: Tuesday, November 15, 2011 9:52 AM Subject: Re: [strongSwan] Android/Stongswan Integration Hello Zhen, > I have been trying to bring Strongswan 4.5.3 to Android If possible, you should update to 4.6.1 as there are several Android related improvements included in that release. > 1. When I ran charon in adb shell, it started, but said: "android plugin > failed to load, can't open android control socket". That's because the control socket is only available, if charon gets started by the patched Android VPN GUI. With 4.6.1 it's possible to use the plugin even if charon is not started by the GUI. > I did some search, the android plugin is something related to DNS. That's correct it installs DNS servers received from the gateway where Android expects them to be (there is no resolv.conf on Android). > Question: do i have to to enable this plugin for VPN to work on the > emulator? Only if you need DNS servers installed, or logging via logcat. These are currently the only two functions provided by the plugin, which are usable without GUI patch. > If so, i did some ./configure --enable-android, it failed > because it couldn't find a requied lib. Running ./configure won't work. To enable/disable plugins you have to edit the plugin list in the top Android.mk within the strongSwan source tree. But the plugin is enabled anyway, by default, it just can't be loaded without the control socket provided by the frontend in 4.5.3. > 2. In the frontend integration site, it says it needs CA assigned certs, > quoted below. > Question: Does the certificate have to be issued by CA? Would > self-assigned certificate work? I am just playing with it and wouldn't > want to spend $1500 to buy one from verisign. :( Don't worry :) You can absolutely build your own CA (e.g. with the ipsec pki tool [1]). Just make sure you install the CA certificate in the Android certificate store as described on the page you quoted. Then use this CA to issue a certificate for the gateway you want to test against. With 4.6.1 you now have also the option to build starter and stroke which allows you to use an ipsec.conf based configuration, instead of using the frontend patch. Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
Hi Zhen, > If I used 4.6.1, is there any special configuration I need to enable to > build the starter and stroke when I build the Android? Have a look at the top Android.mk. There you can uncomment the strongswan_BUILD_STARTER line to enable the build of starter and stroke. > I assume I wouldn't need to apply any of the three frontend patches any > more? No, you don't. But you still could, as the two config methods are not mutually exclusive. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
Hi Tobias, I successfully loaded 4.6.1 to Android 2.2. I pushed ipsec.conf to the emulator. Now if I us ipsec start, then ipsec up. 1. Doesn't seem that Charon loads the the ipsec.conf file. 2. If I use ipsec up to force the starter to bring up the conn, ipsec up gave some error like " unnamed error ] ] ]". What should I do so the starter would use the ipsec.conf file like I normally do? Thanks! -zhen From: Tobias Brunner To: zhen chen Cc: "users@lists.strongswan.org" Sent: Tuesday, November 22, 2011 1:20 AM Subject: Re: [strongSwan] Android/Stongswan Integration Hi Zhen, > If I used 4.6.1, is there any special configuration I need to enable to > build the starter and stroke when I build the Android? Have a look at the top Android.mk. There you can uncomment the strongswan_BUILD_STARTER line to enable the build of starter and stroke. > I assume I wouldn't need to apply any of the three frontend patches any > more? No, you don't. But you still could, as the two config methods are not mutually exclusive. Regards, Tobias___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
> 1. Doesn't seem that Charon loads the the ipsec.conf file. What makes you say so? Do you get any errors? Where did you put the file? Can you verify that it's there when you log into the emulator with 'adb shell'? And is that path equal to what you configured in the top Android.mk file as strongswan_CONFDIR? > 2. If I use ipsec up to force the starter to bring up the conn, ipsec up > gave some error like " unnamed error ] ] ]". The ipsec script is not really working on Android as there is no 'test' or '[' command, of which the script makes use extensively. Simply use starter and stroke directly. Use 'starter' to start starter and charon and use 'stroke up' to start a connection (to terminate them just kill starter). Have a look at how the script uses starter and stroke to implement individual commands. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Android/Stongswan Integration
Hi Tobias, I finally get my tunnel to work. To me the key was to make sure the SAN of the server side cert has to be he host address of the vpn server, so the configuration can match. many thanks to you and others for the help. -zhen From: Tobias Brunner To: zhen chen Cc: "users@lists.strongswan.org" Sent: Tuesday, November 22, 2011 8:07 AM Subject: Re: [strongSwan] Android/Stongswan Integration > 1. Doesn't seem that Charon loads the the ipsec.conf file. What makes you say so? Do you get any errors? Where did you put the file? Can you verify that it's there when you log into the emulator with 'adb shell'? And is that path equal to what you configured in the top Android.mk file as strongswan_CONFDIR? > 2. If I use ipsec up to force the starter to bring up the conn, ipsec up > gave some error like " unnamed error ] ] ]". The ipsec script is not really working on Android as there is no 'test' or '[' command, of which the script makes use extensively. Simply use starter and stroke directly. Use 'starter' to start starter and charon and use 'stroke up' to start a connection (to terminate them just kill starter). Have a look at how the script uses starter and stroke to implement individual commands. Regards, Tobias___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
