Project

General

Profile

History

Portability » strongSwan on Android »

Integration into the Android VPN frontend

Important: This patch is quite outdated. We now provide an App for Android 4 and newer.

This is not supported anymore! The required plugin for the charon daemon was removed with 5.0.3.

To easily setup IKEv2/IPsec VPN connections with EAP-authentication on Android we prepared a set of patches that integrate strongSwan into the default Android VPN frontend.

The patches should apply cleanly to the Android 2.2 (Froyo) sources.

Register charon as Daemon

We previously described how to build strongSwan, the Kernel and libvstr for Android.

To register charon as a daemon, the init.rc file of the system/core project has to be patched (system.core.patch).

cd /patch/to/android/source
cd system/core
patch -p1 < /path/to/system.core.patch
cd -

Framework

The actual VPN types and the Daemon Proxy provided in the frameworks/base project have to be extended by another patch (frameworks.base.patch).

cd frameworks/base
patch -p1 < /path/to/frameworks.base.patch
cd -

Settings (Frontend)

And with a final patch (packages.apps.Settings.patch) the actual frontend in the packages/apps/Settings project is extended.

cd packages/apps/Settings
patch -p1 < /path/to/packages.apps.Settings.patch
cd -

Building the complete source tree completes the integration.

Example Gateway Configuration

Certificates

A gateway certificate signed by a Certificate Authority (CA) is required and the CA-certificate has to be installed on the Android phone. This can be done easily via the integrated browser. The web server has to provide application/x-x509-ca-cert as MIME-type for the certificate to trigger the installation on the phone.

Configuration

The following example gateway configuration can be used with the Android client (basically, you can use the same configuration as for the Windows 7 clients).

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

conn android
    leftsubnet=0.0.0.0/0
    leftcert=vpnCert.pem
    leftauth=pubkey
    leftid=@vpn.strongswan.org
    right=%any
    rightsourceip=10.0.5.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    keyexchange=ikev2
    eap_identity=%any
    auto=add

ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA vpnKey.pem

carol : EAP "abcd1234" 
dave  : EAP "fghj5678"

strongswan.conf

# /etc/strongswan.conf - strongSwan configuration file

charon {
    dns1 = 62.2.17.60
    dns2 = 62.2.24.162
}