strongSwan VPN ClientstrongSwanView logSearchVPN not supportedYour device does not support VPN applications.\nPlease contact the manufacturer.VPN connections are not supported if a built-in VPN has the always-on feature enabled.Unable to get permission to create VPN connections. Either because it was denied by the user, or because a different VPN app has the always-on feature enabled.Loading…Profile not foundstrongSwan shortcutVPN connection stateProvides information about the VPN connection state and serves as permanent notification to keep the VPN service running in the background.SettingsDefault VPN profileConnect to most recently used profileIgnore battery optimizationsDon\'t show a warning if the app is not on the device\'s power whitelistLogSend log fileLog file is emptystrongSwan %1$s Log FileNo VPN profiles.Add VPN profileEditCopy%1$s (Copy)DeleteSelect profilesSelected profiles deletedNo profile selectedOne profile selected%1$d profiles selectedSaveImportCancelProfile name (optional)Profile nameDefaults to the configured serverDefaults to \"%1$s\"ServerIP address or hostname of the VPN serverVPN TypeUsernamePassword (optional)Leave blank to get prompted on demandUser certificateSelect user certificateSelect a specific user certificateInstall user certificateCA certificateSelect automaticallySelect CA certificateSelect a specific CA certificateAdvanced settingsShow advanced settingsServer identityDefaults to the configured server. Custom values are explicitly sent to the server and enforced during authenticationDefaults to \"%1$s\". Custom values are explicitly sent to the server and enforced during authenticationClient identityDefaults to the configured username. Custom values may be used if expected/required by the serverDefaults to the certificate\'s subject identity. Custom values may be used if expected/required by the server. Note that these usually must be confirmed by the certificate (auto-completion is provided for the certificate\'s alternative identities, if any)DNS serversCustom DNS servers to use when connected to the VPN (separated by spaces, e.g. \"8.8.8.8 2001:4860:4860::8888\"), defaults to those received from the VPN serverMTU of the VPN tunnel deviceIn case the default value is unsuitable for a particular networkServer portUDP port to connect to, if different from the defaultNAT-T keepalive intervalSmall packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.Send certificate requestsCertificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.Use OCSP to check certificateUse the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.Use CRLs to check certificateUse Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.Use strict revocation checkingIn strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).Use RSA/PSS signaturesUse the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.Use IPv6 transport addressesUse IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.Split tunnelingBy default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).Block IPv4 traffic not destined for the VPNBlock IPv6 traffic not destined for the VPNCustom subnetsOnly route traffic to specific subnets via VPN, everything else is routed as if there was no VPN (separated by spaces, e.g. \"192.168.1.0/24 2001:db8::/64\")Excluded subnetsTraffic to these subnets will not be routed via VPN, but as if there was no VPN (separated by spaces, e.g. \"192.168.1.0/24 2001:db8::/64\")ApplicationsSelect applicationsNo applications selectedOne application selected%1$d applications selectedAlgorithmsOptionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a list of algorithm identifiers (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.IKEv2 AlgorithmsFor non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).IPsec/ESP AlgorithmsFor non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.Import VPN profileFailed to import VPN profileFailed to import VPN profile: %1$sFile not foundHost unknownTLS handshake failedInvalid value in \"%1$s\"This VPN profile already exists, its current settings will be replaced.Import certificate from VPN profileCertificate for \"%1$s\"Profile IDA value is required to initiate the connectionPlease enter your username No CA certificate selectedPlease select one or activate Select automaticallyPlease enter a number in the range from %1$d - %2$dPlease enter valid subnets and/or IP addresses, separated by spacesPlease enter valid IP addresses, separated by spacesPlease enter a valid list of algorithms, separated by hyphensEAP-TNC may affect your privacyDevice data is sent to the server operatorTrusted Network Connect (TNC) allows server operators to assess the health of a client device.
For that purpose the server operator may request data such as a unique identifier, a list of installed packages, system settings, or cryptographic checksums of files.
Any data will be sent only after verifying the server\'s identity.]]>CA certificatesNo certificatesReload CA certificatesSystemUserImportedDelete certificate?The certificate will be permanently removed!Import certificateCertificate successfully importedFailed to import certificateCRL cacheClear CRL cache?The CRL cache is emptyThe CRL cache contains %1$d file (%2$s).The CRL cache contains %1$d files (%2$s).ClearStatus:Profile:DisconnectConnecting…ConnectedDisconnecting…No active VPNErrorDismissAssessment:RestrictedFailedView remediation instructionsRemediation instructionsEnter password to connectUsernamePasswordConnectFailed to establish VPN: %1$s.Server address lookup failedServer is unreachableVerifying server authentication failedUser authentication failedSecurity assessment failedUnspecified failure while connectingPassword unavailableClient certificate unavailableVPN connectedThis VPN profile is currently connected!ReconnectConnect %1$s?This will replace your active VPN connection!Disconnect VPN?This will disconnect the active VPN connection!ConnectRetryRetry in %1$d secondRetry in %1$d secondsCancel retryDisable battery optimizationsPlease confirm the next dialog to add the app to the device\'s power whitelist so it can ignore battery optimizations and schedule NAT keep-alives and rekeyings accurately in order to constantly keep reachable while the VPN is established.Toggle VPNConnect VPNDisconnect VPN