Integration into the Android VPN frontend¶
Important: This patch is quite outdated. We now provide an App for Android 4 and newer.
This is not supported anymore! The required plugin for the charon daemon was removed with 5.0.3.
To easily setup IKEv2/IPsec VPN connections with EAP-authentication on Android we prepared a set of patches that integrate strongSwan into the default Android VPN frontend.
The patches should apply cleanly to the Android 2.2 (Froyo) sources.
Register charon as Daemon¶
We previously described how to build strongSwan, the Kernel and libvstr for Android.
To register charon as a daemon, the init.rc
file of the system/core
project has to be patched (system.core.patch).
cd /patch/to/android/source cd system/core patch -p1 < /path/to/system.core.patch cd -
Framework¶
The actual VPN types and the Daemon Proxy provided in the frameworks/base
project have to be extended by another patch (frameworks.base.patch).
cd frameworks/base patch -p1 < /path/to/frameworks.base.patch cd -
Settings (Frontend)¶
And with a final patch (packages.apps.Settings.patch) the actual frontend in the packages/apps/Settings
project is extended.
cd packages/apps/Settings patch -p1 < /path/to/packages.apps.Settings.patch cd -
Building the complete source tree completes the integration.
Example Gateway Configuration¶
Certificates¶
A gateway certificate signed by a Certificate Authority (CA) is required and the CA-certificate has to be installed on the Android phone. This can be done easily via the integrated browser. The web server has to provide application/x-x509-ca-cert
as MIME-type for the certificate to trigger the installation on the phone.
Configuration¶
The following example gateway configuration can be used with the Android client (basically, you can use the same configuration as for the Windows 7 clients).
# ipsec.conf - strongSwan IPsec configuration file conn android leftsubnet=0.0.0.0/0 leftcert=vpnCert.pem leftauth=pubkey leftid=@vpn.strongswan.org right=%any rightsourceip=10.0.5.0/24 rightauth=eap-mschapv2 rightsendcert=never keyexchange=ikev2 eap_identity=%any auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA vpnKey.pem carol : EAP "abcd1234" dave : EAP "fghj5678"
# /etc/strongswan.conf - strongSwan configuration file charon { dns1 = 62.2.17.60 dns2 = 62.2.24.162 }