Public Key Authentication with own CA causes "Network may be monitored" warning on Android 4.4/5/6 with strongSwan app
Creating my own CA, cert and key according to https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA and then importing the generated PKCS#12 file into android causes a permanent (i.e. can not be dismissed) warning in android 6.0: "Network may be monitored".
The only way to remove the warning is to remove my own CA from the Android CA storage. Funnily enough, starting and stopping the VPN connection still works even after the CA has been removed from Android. However, after a reboot the missing CA causes failure on connection establishment.
Google has claimed in https://code.google.com/p/android/issues/detail?id=62076#c8 that the warnings are working as intended.
Since it seems some caching is going on (otherwise establishing connections after removing the CA should be impossible), can the strongSwan app store the CA somewhere internally where Android won't complain?
#1 Updated by Noel Kuntze almost 4 years ago
The CA certificate (or server certificate) can also be imported directly into the app.
PKCS#12 file would then only contain the user certificate and the corresponding key.
After deleting the old imported files and importing the new
PKCS#12 file and the CA certificate seperately (the first one into the Android trust store, the second one into the app), the warning should disappear.
#2 Updated by Tobias Brunner almost 4 years ago
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
can the strongSwan app store the CA somewhere internally where Android won't complain?
Yes, as Noel mentioned CA and server certificates may be imported into the app since 1.4.0.
#3 Updated by Carl-Daniel Hailfinger almost 4 years ago
Thank you very much, that did the trick. I added this info to the SimpleCA wiki page.
Just in case someone hits this issue in a German localized Android, the warning message was "Das Netzwerk wird möglicherweise von einem unbekannten Dritten überwacht".