The ultimate issue was that Android also expects the server to authenticate using a pre-shared key, rather than just the certificate. So the correct configuration would have auth=psk under the local section, as well a matching server id under the ike secrets.
More notes on this here: https://serverfault.com/q/1044090/70156 The caveat was that this exlusively worked on 5.9.0 for me. I was not able to reproduce the success with 5.7.2. Probably some syntax difference, I'm assuming. On Wed, Nov 18, 2020 at 11:15:10PM +0000, strongs...@isuldor.com wrote: > $ swanctl --version > strongSwan swanctl 5.9.0 > > $ cat /etc/swanctl/conf.d/android11.conf > connections { > rw-isuldor { > local_addrs = moon.isuldor.com > pools = android11_pool > send_cert = always > local { > auth = pubkey > certs = moon.pem > id = moon.isuldor.com > } > remote { > auth = psk > id = strongs...@isuldor.com > } > children { > moon { > local_ts = 0.0.0.0/0 > } > } > } > } > secrets { > ike-isuldor { > id_isuldor = strongs...@isuldor.com > secret = hunter2 > } > }
