Integration into the Android VPN frontend » History » Version 5
Version 4 (Tobias Brunner, 15.08.2012 14:18) → Version 5/7 (Tobias Brunner, 23.10.2012 18:04)
h1. Integration into the Android VPN frontend
bq. *Important:* This patch is quite outdated. We now provide [[AndroidVPNClient|an [[Android|an App for Android 4 and newer]].
To easily setup IKEv2/IPsec VPN connections with EAP-authentication on Android we prepared a set of patches that integrate strongSwan into the default Android VPN frontend.
The patches should apply cleanly to the Android 2.2 (Froyo) sources.
h2. Register charon as Daemon
We [[Android|previously]] described how to [[Android|build strongSwan, the Kernel and libvstr for Android]].
To register [[Charon|charon]] as a daemon, the @init.rc@ file of the @system/core@ project has to be patched (attachment:system.core.patch).
<pre>
cd /patch/to/android/source
cd system/core
patch -p1 < /path/to/system.core.patch
cd -
</pre>
h2. Framework
The actual VPN types and the Daemon Proxy provided in the @frameworks/base@ project have to be extended by another patch (attachment:frameworks.base.patch).
<pre>
cd frameworks/base
patch -p1 < /path/to/frameworks.base.patch
cd -
</pre>
h2. Settings (Frontend)
And with a final patch (attachment:packages.apps.Settings.patch) the actual frontend in the @packages/apps/Settings@ project is extended.
<pre>
cd packages/apps/Settings
patch -p1 < /path/to/packages.apps.Settings.patch
cd -
</pre>
Building the complete source tree completes the integration.
h2. Example Gateway Configuration
h3. Certificates
A gateway certificate signed by a Certificate Authority (CA) is required and the CA-certificate has to be installed on the Android phone. This can be done easily via the integrated browser. The web server has to provide @application/x-x509-ca-cert@ as MIME-type for the certificate to trigger the installation on the phone.
h3. Configuration
The following example gateway configuration can be used with the Android client (basically, you can use the same [[Win7EapMultipleConfig|configuration]] as for the [[Windows7|Windows 7]] clients).
[[IpsecConf|ipsec.conf]]
<pre>
# ipsec.conf - strongSwan IPsec configuration file
conn android
leftsubnet=0.0.0.0/0
leftcert=vpnCert.pem
leftauth=pubkey
leftid=@vpn.strongswan.org
right=%any
rightsourceip=10.0.5.0/24
rightauth=eap-mschapv2
rightsendcert=never
keyexchange=ikev2
eap_identity=%any
auto=add
</pre>
[[IpsecSecrets|ipsec.secrets]]
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnKey.pem
carol : EAP "abcd1234"
dave : EAP "fghj5678"
</pre>
[[StrongswanConf|strongswan.conf]]
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
dns1 = 62.2.17.60
dns2 = 62.2.24.162
}
</pre>
bq. *Important:* This patch is quite outdated. We now provide [[AndroidVPNClient|an [[Android|an App for Android 4 and newer]].
To easily setup IKEv2/IPsec VPN connections with EAP-authentication on Android we prepared a set of patches that integrate strongSwan into the default Android VPN frontend.
The patches should apply cleanly to the Android 2.2 (Froyo) sources.
h2. Register charon as Daemon
We [[Android|previously]] described how to [[Android|build strongSwan, the Kernel and libvstr for Android]].
To register [[Charon|charon]] as a daemon, the @init.rc@ file of the @system/core@ project has to be patched (attachment:system.core.patch).
<pre>
cd /patch/to/android/source
cd system/core
patch -p1 < /path/to/system.core.patch
cd -
</pre>
h2. Framework
The actual VPN types and the Daemon Proxy provided in the @frameworks/base@ project have to be extended by another patch (attachment:frameworks.base.patch).
<pre>
cd frameworks/base
patch -p1 < /path/to/frameworks.base.patch
cd -
</pre>
h2. Settings (Frontend)
And with a final patch (attachment:packages.apps.Settings.patch) the actual frontend in the @packages/apps/Settings@ project is extended.
<pre>
cd packages/apps/Settings
patch -p1 < /path/to/packages.apps.Settings.patch
cd -
</pre>
Building the complete source tree completes the integration.
h2. Example Gateway Configuration
h3. Certificates
A gateway certificate signed by a Certificate Authority (CA) is required and the CA-certificate has to be installed on the Android phone. This can be done easily via the integrated browser. The web server has to provide @application/x-x509-ca-cert@ as MIME-type for the certificate to trigger the installation on the phone.
h3. Configuration
The following example gateway configuration can be used with the Android client (basically, you can use the same [[Win7EapMultipleConfig|configuration]] as for the [[Windows7|Windows 7]] clients).
[[IpsecConf|ipsec.conf]]
<pre>
# ipsec.conf - strongSwan IPsec configuration file
conn android
leftsubnet=0.0.0.0/0
leftcert=vpnCert.pem
leftauth=pubkey
leftid=@vpn.strongswan.org
right=%any
rightsourceip=10.0.5.0/24
rightauth=eap-mschapv2
rightsendcert=never
keyexchange=ikev2
eap_identity=%any
auto=add
</pre>
[[IpsecSecrets|ipsec.secrets]]
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnKey.pem
carol : EAP "abcd1234"
dave : EAP "fghj5678"
</pre>
[[StrongswanConf|strongswan.conf]]
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
dns1 = 62.2.17.60
dns2 = 62.2.24.162
}
</pre>