Integration into the Android VPN frontend » History » Version 2
Tobias Brunner, 05.07.2010 11:34
added gateway config
| 1 | 1 | Tobias Brunner | h1. Integration into the Android VPN frontend |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | To easily setup IKEv2/IPsec VPN connections with EAP-authentication on Android we prepared a set of patches that integrate strongSwan into the default Android VPN frontend. |
| 4 | 1 | Tobias Brunner | |
| 5 | 1 | Tobias Brunner | The patches should apply cleanly to the Android 2.2 (Froyo) sources. |
| 6 | 1 | Tobias Brunner | |
| 7 | 1 | Tobias Brunner | h2. Register charon |
| 8 | 1 | Tobias Brunner | |
| 9 | 1 | Tobias Brunner | We [[Android|previously]] described how to build strongSwan, the Kernel and libvstr. To register [[Charon|charon]] as a daemon, the @init.rc@ file of the @system/core@ project has to be patched (attachment:system.core.patch). |
| 10 | 1 | Tobias Brunner | |
| 11 | 1 | Tobias Brunner | <pre> |
| 12 | 1 | Tobias Brunner | cd /patch/to/android/source |
| 13 | 1 | Tobias Brunner | cd system/core |
| 14 | 1 | Tobias Brunner | patch -p1 < /path/to/system.core.patch |
| 15 | 1 | Tobias Brunner | cd - |
| 16 | 1 | Tobias Brunner | </pre> |
| 17 | 1 | Tobias Brunner | |
| 18 | 1 | Tobias Brunner | h2. Framework |
| 19 | 1 | Tobias Brunner | |
| 20 | 1 | Tobias Brunner | The actual VPN types and the Daemon Proxy provided in the @frameworks/base@ project have to be extended by another patch (attachment:frameworks.base.patch). |
| 21 | 1 | Tobias Brunner | |
| 22 | 1 | Tobias Brunner | <pre> |
| 23 | 1 | Tobias Brunner | cd frameworks/base |
| 24 | 1 | Tobias Brunner | patch -p1 < /path/to/frameworks.base.patch |
| 25 | 1 | Tobias Brunner | cd - |
| 26 | 1 | Tobias Brunner | </pre> |
| 27 | 1 | Tobias Brunner | |
| 28 | 1 | Tobias Brunner | h2. Settings (Frontend) |
| 29 | 1 | Tobias Brunner | |
| 30 | 1 | Tobias Brunner | And with a final patch (attachment:packages.apps.Settings.patch) the actual frontend in the @packages/apps/Settings@ project is extended. |
| 31 | 1 | Tobias Brunner | |
| 32 | 1 | Tobias Brunner | <pre> |
| 33 | 1 | Tobias Brunner | cd packages/apps/Settings |
| 34 | 1 | Tobias Brunner | patch -p1 < /path/to/packages.apps.Settings.patch |
| 35 | 1 | Tobias Brunner | cd - |
| 36 | 1 | Tobias Brunner | </pre> |
| 37 | 1 | Tobias Brunner | |
| 38 | 1 | Tobias Brunner | Building the complete source tree completes the integration. |
| 39 | 2 | Tobias Brunner | |
| 40 | 2 | Tobias Brunner | h2. Example Gateway Configuration |
| 41 | 2 | Tobias Brunner | |
| 42 | 2 | Tobias Brunner | h3. Certificates |
| 43 | 2 | Tobias Brunner | |
| 44 | 2 | Tobias Brunner | A gateway certificate signed by a Certificate Authority (CA) is required and the CA-certificate has to be installed on the Android phone. This can be done easily via the integrated browser. The web server has to provide @application/x-x509-ca-cert@ as MIME-type for the certificate to trigger the installation on the phone. |
| 45 | 2 | Tobias Brunner | |
| 46 | 2 | Tobias Brunner | h3. Configuration |
| 47 | 2 | Tobias Brunner | |
| 48 | 2 | Tobias Brunner | The following example gateway configuration can be used with the Android client (basically, you can use the same [[Win7EapMultipleConfig|configuration]] as for the [[Windows7|Windows 7]] clients). |
| 49 | 2 | Tobias Brunner | |
| 50 | 2 | Tobias Brunner | [[IpsecConf|ipsec.conf]] |
| 51 | 2 | Tobias Brunner | <pre> |
| 52 | 2 | Tobias Brunner | # ipsec.conf - strongSwan IPsec configuration file |
| 53 | 2 | Tobias Brunner | |
| 54 | 2 | Tobias Brunner | conn android |
| 55 | 2 | Tobias Brunner | leftsubnet=0.0.0.0/0 |
| 56 | 2 | Tobias Brunner | leftcert=vpnCert.pem |
| 57 | 2 | Tobias Brunner | leftauth=pubkey |
| 58 | 2 | Tobias Brunner | leftid=@vpn.strongswan.org |
| 59 | 2 | Tobias Brunner | right=%any |
| 60 | 2 | Tobias Brunner | rightsourceip=10.0.5.0/24 |
| 61 | 2 | Tobias Brunner | rightauth=eap-mschapv2 |
| 62 | 2 | Tobias Brunner | rightsendcert=never |
| 63 | 2 | Tobias Brunner | keyexchange=ikev2 |
| 64 | 2 | Tobias Brunner | eap_identity=%any |
| 65 | 2 | Tobias Brunner | auto=add |
| 66 | 2 | Tobias Brunner | </pre> |
| 67 | 2 | Tobias Brunner | |
| 68 | 2 | Tobias Brunner | [[IpsecSecrets|ipsec.secrets]] |
| 69 | 2 | Tobias Brunner | <pre> |
| 70 | 2 | Tobias Brunner | # /etc/ipsec.secrets - strongSwan IPsec secrets file |
| 71 | 2 | Tobias Brunner | |
| 72 | 2 | Tobias Brunner | : RSA vpnKey.pem |
| 73 | 2 | Tobias Brunner | |
| 74 | 2 | Tobias Brunner | carol : EAP "abcd1234" |
| 75 | 2 | Tobias Brunner | dave : EAP "fghj5678" |
| 76 | 2 | Tobias Brunner | </pre> |
| 77 | 2 | Tobias Brunner | |
| 78 | 2 | Tobias Brunner | [[StrongswanConf|strongswan.conf]] |
| 79 | 2 | Tobias Brunner | <pre> |
| 80 | 2 | Tobias Brunner | # /etc/strongswan.conf - strongSwan configuration file |
| 81 | 2 | Tobias Brunner | |
| 82 | 2 | Tobias Brunner | charon { |
| 83 | 2 | Tobias Brunner | dns1 = 62.2.17.60 |
| 84 | 2 | Tobias Brunner | dns2 = 62.2.24.162 |
| 85 | 2 | Tobias Brunner | } |
| 86 | 2 | Tobias Brunner | </pre> |