strongSwan

h1. strongSwan on Android

h2. strongSwan VPN Client for Android 4+

We recently released "strongSwan VPN Client for Android 4 and newer":https://play.google.com/store/apps/details?id=org.strongswan.android an App that can be downloaded directly from "Google Play":https://play.google.com/store/apps/details?id=org.strongswan.android.

There are some limitations at the moment:

 * Only IKEv2 is supported

 * User authentication is limited to EAP authentication based on username/password (EAP-MSCHAPv2, EAP-MD5)

 * No support for MOBIKE yet

 * The IPsec implementation is also limited (only AES and SHA1/SHA2 are supported)

h2. Native build

strongSwan can also be built for inclusion in the "Android":http://www.android.com system image, that is, directly within the Android source tree.  The rest of this document describes how to do so.

A while ago we also created a patch that [[AndroidFrontend|integrates strongSwan into the default Android 2.2 VPN frontend]].

h2. Android Source Tree

You will need the complete Android source tree to build strongSwan. Instructions on how to download and build it can be found on the "Android website":http://source.android.com/source/downloading.html.

To checkout a specific branch or tag of the sources, specify it with the @-b@ parameter when using the @repo init@ command.

Since building the whole source tree takes quite a while you should probably start with this first (use @-j@ to speed this up on multi-core machines):

<pre>

cd /path/to/android/source

. build/envsetup.sh

lunch 1

make -j<jobs>

</pre>

h2. Android Kernel

The prebuilt kernel that is used for the emulator lacks some modules required for strongSwan to work correctly. It is therefore required to build a custom kernel.

To get the current kernel config you can use the "Android Debug Bridge":http://developer.android.com/tools/help/adb.html to download it from the running emulator. After starting the emulator use

<pre>

adb pull /proc/config.gz config.gz

</pre>to copy the config to the current directory. Then enable the missing modules, this is mainly @CONFIG_XFRM_USER@ and @CONFIG_INET_XFRM_MODE_TUNNEL@ but might include other modules.

Please compare your config to the list of [[KernelModules|required modules]] in this wiki (please note that some modules, especially all the IPv6 related modules, are not really required).

Clone the kernel sources and check out an appropriate tag (check the version of the kernel in the emulator). For example (this is for Android 2.2):

<pre>

git clone https://android.googlesource.com/kernel/goldfish kernel

cd kernel

git checkout -t origin/android-goldfish-2.6.29

</pre>

You can then copy your config to this directory and compile the kernel sources using

<pre>

export ARCH=arm

export CROSS_COMPILE=/path/to/android/source/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi-

make oldconfig

make -j<jobs>

</pre>

To start the emulator using your custom kernel use the following command.

<pre>

emulator -kernel /path/to/kernel/source/arch/arm/boot/zImage &

</pre>

h2. Vstr Library

strongSwan can be fully integrated in the Android build system. But the required "Vstr string library":http://www.and.org/vstr/ can not (yet). Therefore, you will have to build that library first using "droid-gcc":http://github.com/tmurakam/droid-wrapper.

h3. droid-gcc

Since droid-gcc is written in Ruby you'll obviously need *Ruby* installed on your build system. Then download droid-gcc by either cloning the "Git tree":git://github.com/tmurakam/droid-wrapper.git or by downloading it "directly":http://github.com/tmurakam/droid-wrapper/raw/master/droid-gcc.

If you used Git you can install droid-gcc using @make install@, if you downloaded it directly, you have to manually create two symlinks to droid-gcc named _droid-gcc_ and _droid-ld_ in a directory that is included in your PATH environment variable.

h3. Build the Library

To simplify building the Vstr library, a build script is attached to this page (attachment:vstr.build). The attached patch (attachment:vstr.patch) and Android Makefile (attachment:vstr.mk) are also required.

Download the three helper files to an appropriate working directory and then download and extract the tarball for the Vstr library.

<pre>

wget http://download.strongswan.org/vstr-1.0.15.tar.bz2

tar xjf vstr-1.0.15.tar.bz2

</pre>

Adjust the variables in the build script (@DROID_ROOT@ and optionally @DROID_TARGET@ and @INSTALLDIR@). Make sure you specify @DROID_ROOT@ as an absolute path.

Then build and install the it using

<pre>

cd vstr-1.0.15

patch -p1 < ../vstr.patch

. ../vstr.build

</pre>

h2. libcURL

Optionally, "libcurl":http://curl.haxx.se/libcurl/ can be used to fetch CRLs. It is required if you intend to build [[scepclient]]. You can build it the same way as the Vstr library above, that is, with *droid-gcc*.

h3. Build the Library

As with the Vstr library a build script (attachment:curl.build) and an Android Makefile (attachment:curl.mk) are attached to this page.

Download the helper files to an appropriate working directory, then download and extract the current source tarball of libcurl.

Adjust the variables in the build script (see above), and build and install it using

<pre>

cd curl-x.x.x

. ../curl.build

</pre>

h2. strongSwan

Now you are ready to build strongSwan. Download the current tarball (or build it yourself from the strongSwan source tree) and extract it in @DROID_ROOT/external@.

If you changed @INSTALLDIR@ in the build scripts above, you will have to change the top Android.mk (or Android.mk.in) accordingly. You can also adjust the plugin list in the that file or enable/disable executables.

The executable you want to include in the system image (starter, charon, scepclient) have to be added to @PRODUCT_PACKAGES@ in @build/target/product/core.mk@. The libraries are automatically installed.

Now just build the Android source tree.

<pre>

cd /path/to/android/source

make

</pre>