[strongSwan] Connecting to Strongswan using the Native Android IPSec VPN Client

Hay, Ben (EG Consulting) ben.hay at hp.com
Tue Sep 16 14:12:53 CEST 2014 

Thanks for your prompt response, its much appreciated. 

I would much rather use the Strongswan app as this is up and running and using ikev2. 

Does anyone know of a way to initiate the connection using the app without user intervention i.e. on boot the client simply connects to the vpn server without needing to open the app and hit connect?

Thanks in advance. 

Ben

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: 16 September 2014 09:31
To: Hay, Ben (EG Consulting); Cindy Moore
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Connecting to Strongswan using the Native Android IPSec VPN Client

Hi Ben, Cindy,

> I am attempting to connect to a Strongswan VPN server using the native 
> Android IPSec client in Android 4.4

> Is it possible to set up the vpn connection with Android's own vpn 
> client (and NOT the strongswan app)?

It is possible, yes. With the exception of the Samsung Galaxy S5 (which uses strongSwan as native IPsec backend), the Android client supports
IKEv1 only. As PSK authentication has severe security implications, you should either use "IPsec Xauth RSA" or "IPsec Hybrid RSA" methods. 

The first uses certificate client and server authentication, followed by XAuth username/password authentication. The hybrid mode skips client certificate authentication, and is therefore very similar to the EAP authentication mechanism from IKEv2. There is no certificate-only authentication on that client.

To configure a responder Hybrid mode connection, you'll need a connection with:

  keyexchange=ikev1
  leftauth=pubkey
  rightauth=xauth

Refer to [1] for a server configuration example. Of course you also need to install a matching server or CA certificate to the Android certificate manager.

> I am attempting to set things up so that folks in my dept can connect 
> to the vpn using native vpn apps on their respective OS.  I'm trying 
> to avoid requiring users to install specific software to simplify the 
> whole process.

While the native client can be sufficient for some use cases, in my experience it is cumbersome. We recommend to use the strongSwan App if available for your device. 

Regards
Martin

[1]https://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-hybrid/index.html

More information about the Users mailing list