[strongSwan] Connecting to Strongswan using the Native Android IPSec VPN Client

Martin Willi martin at strongswan.org
Tue Sep 16 10:30:48 CEST 2014


Hi Ben, Cindy,

> I am attempting to connect to a Strongswan VPN server using the native
> Android IPSec client in Android 4.4

> Is it possible to set up the vpn connection with Android's own vpn
> client (and NOT the strongswan app)?

It is possible, yes. With the exception of the Samsung Galaxy S5 (which
uses strongSwan as native IPsec backend), the Android client supports
IKEv1 only. As PSK authentication has severe security implications, you
should either use "IPsec Xauth RSA" or "IPsec Hybrid RSA" methods. 

The first uses certificate client and server authentication, followed by
XAuth username/password authentication. The hybrid mode skips client
certificate authentication, and is therefore very similar to the EAP
authentication mechanism from IKEv2. There is no certificate-only
authentication on that client.

To configure a responder Hybrid mode connection, you'll need a
connection with:

  keyexchange=ikev1
  leftauth=pubkey
  rightauth=xauth

Refer to [1] for a server configuration example. Of course you also need
to install a matching server or CA certificate to the Android
certificate manager.

> I am attempting to set things up so that folks in my dept can connect
> to the vpn using native vpn apps on their respective OS.  I'm trying
> to avoid requiring users to install specific software to simplify the
> whole process.

While the native client can be sufficient for some use cases, in my
experience it is cumbersome. We recommend to use the strongSwan App if
available for your device. 

Regards
Martin

[1]https://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-hybrid/index.html



More information about the Users mailing list