Project

General

Profile

strongSwan VPN Client for Android 4+ » History » Version 58

Tobias Brunner, 19.06.2020 14:43
Note about UDP-encap

1 1 Tobias Brunner
h1. strongSwan VPN Client for Android 4+
2 1 Tobias Brunner
3 36 Tobias Brunner
{{>toc(2)}}
4 36 Tobias Brunner
5 41 Tobias Brunner
The "strongSwan VPN Client for Android 4 and newer":https://play.google.com/store/apps/details?id=org.strongswan.android is an app that can be installed directly from "Google Play":https://play.google.com/store/apps/details?id=org.strongswan.android.
6 41 Tobias Brunner
7 41 Tobias Brunner
Aside from "Google Play":https://play.google.com/store/apps/details?id=org.strongswan.android the released APKs are also available on "our download server":https://download.strongswan.org/Android/.
8 1 Tobias Brunner
9 21 Tobias Brunner
h2. Client Configuration
10 1 Tobias Brunner
11 26 Tobias Brunner
Since version [[AndroidVPNClient#180-2017-01-20|1.8.0]] of the app it is possible to [[AndroidVPNClientProfiles|import VPN profiles]] from files.
12 26 Tobias Brunner
13 21 Tobias Brunner
Client certificates and keys, and CA certificates may be added by [[SimpleCA#Install-certificates-in-other-platforms|bundling them into a PKCS#12 file]] and then importing that file into the Android system keystore. CA certificates and server certificates may also be imported directly into the app since [[AndroidVPNClient#140-2014-07-22|1.4.0]]. Importing CA certificates into the Android system keystore may trigger a warning since Android 4.4 ("Network may be monitored by an unknown third party":https://code.google.com/p/android/issues/detail?id=62644), whereas importing CA certificates directly into the app will work fine.
14 21 Tobias Brunner
15 49 Tobias Brunner
Since [[AndroidVPNClient#190-2017-07-03|1.9.0]] split tunneling may be configured on the client (i.e. to only route specific traffic via VPN and/or to exclude certain traffic from the VPN). The client always proposes 0.0.0.0/0 as remote traffic selector and narrowing performed by the server still applies. Since [[AndroidVPNClient#150-2015-07-28|1.5.0]] the user may opt to block all traffic not destined for the VPN if the server does narrow the traffic selector or split tunneling is configured on the client.
16 30 Tobias Brunner
17 30 Tobias Brunner
Since [[AndroidVPNClient#190-2017-07-03|1.9.0]] it is possible to limit a VPN connection to specific apps or exclude certain apps from using the VPN (to them it will seem as if no VPN is present).
18 30 Tobias Brunner
19 49 Tobias Brunner
Since [[AndroidVPNClient#200-2018-07-03|2.0.0]] an optional Quick Settings tile (Android 7+) shows the current connection status and allows connecting/terminating the current VPN connection easily. The same version brought support for the Always-on VPN feature that may be enabled in the system's VPN settings on Android 7+ and will start the VPN profile after a reboot (refer to the [[AndroidVPNClient#200-2018-07-03|changelog]] for potential caveats). The default VPN profile used for these two features may be configured in the app's global settings (the default is to initiate the most recently used profile).
20 1 Tobias Brunner
21 47 Tobias Brunner
The app allows creating shortcuts on the Android Launcher to quickly initiate specific VPN profiles.
22 47 Tobias Brunner
23 49 Tobias Brunner
Since [[AndroidVPNClient#200-2018-07-03|2.0.0]] it's possible to use Intents and a VPN profile's UUID to connect/terminate it with automation apps such as Llama or Tasker e.g. based on location, WiFi hotspots or other events.
24 47 Tobias Brunner
25 47 Tobias Brunner
{{collapse(How-to use Intents to connect/terminate VPN profiles)
26 47 Tobias Brunner
The UUID required for this can be found at the bottom of the advanced settings when editing a profile and may be copied from there.
27 47 Tobias Brunner
28 47 Tobias Brunner
To connect a profile use the following information in the Intent:
29 47 Tobias Brunner
30 47 Tobias Brunner
* *Package*: org.strongswan.android
31 47 Tobias Brunner
* *Action*: org.strongswan.android.action.START_PROFILE
32 47 Tobias Brunner
* *Extras*:
33 49 Tobias Brunner
** org.strongswan.android.VPN_PROFILE_ID : UUID of the profile to start (a string that looks like this: _7b21d354-52ed-4c14-803a-a3370f575405_)
34 47 Tobias Brunner
35 47 Tobias Brunner
To disconnect the profile use the following information in the Intent:
36 47 Tobias Brunner
37 47 Tobias Brunner
* *Package*: org.strongswan.android
38 47 Tobias Brunner
* *Action*: org.strongswan.android.action.DISCONNECT
39 47 Tobias Brunner
* *Extras*:
40 47 Tobias Brunner
** org.strongswan.android.VPN_PROFILE_ID : UUID of the profile to disconnect
41 49 Tobias Brunner
* *Note*: If no profile ID is passed, or it doesn't match the ID of the currently connected profile, a dialog is shown that asks confirmation from the user to disconnect the currently connected profile.
42 47 Tobias Brunner
}}
43 47 Tobias Brunner
44 21 Tobias Brunner
h2. Server Configuration
45 21 Tobias Brunner
46 49 Tobias Brunner
The app is compatible to the [[WindowsClients|Windows example configurations]] we provide (although the app supports stronger algorithms than Windows clients do) and the [[UsableExamples#Roadwarrior-scenario|IKEv2 roadwarrrior examples]]. Since strongSwan version:5.2.1 and version [[AndroidVPNClient#145-2014-11-06|1.4.5]] of the app _fragmentation=yes_ may be added to the server config to use IKEv2 fragmentation, which avoids problems with IP fragmentation during connection establishment (due to large certificates or lots of certificate requests).
47 21 Tobias Brunner
48 21 Tobias Brunner
*Important:* The hostname/IP of the VPN server, as configured in the VPN profile, has to be contained as subjectAltName extension in the VPN server's certificate. Since [[AndroidVPNClient#160-2016-05-02|1.6.0]] the server identity may also be configured explicitly.
49 21 Tobias Brunner
50 21 Tobias Brunner
h2. Known Limitations/Issues
51 21 Tobias Brunner
52 1 Tobias Brunner
 * Only IKEv2 is supported
53 21 Tobias Brunner
 * Client authentication is limited to:
54 21 Tobias Brunner
55 50 Tobias Brunner
   * EAP authentication based on username/password (EAP-MSCHAPv2, EAP-MD5, EAP-GTC)
56 21 Tobias Brunner
   * RSA/ECDSA authentication with private key/certificate
57 21 Tobias Brunner
   * EAP-TLS with private key/certificate (see [[AndroidVPNClient#145-2014-11-06|1.4.5]] for limitations)
58 21 Tobias Brunner
 * The server always has to be authenticated with RSA/ECDSA (even when using EAP-TLS, see [[AndroidVPNClient#145-2014-11-06|1.4.5]])
59 52 Tobias Brunner
 * PSK authentication is *not* supported, as it is potentially very dangerous because the client might send the hash of a weak password to a rogue VPN server. Thus we prefer EAP authentication where the server is first authenticated with a certificate and only afterwards the client uses its password.
60 1 Tobias Brunner
 * Only a single tunnel can be established at a time
61 46 Tobias Brunner
 * The IPsec default proposals are limited to AES encryption with SHA2/SHA1 data integrity or AES-GCM authenticated encryption. Optionally, using PFS with one of a number of proposed ECP/MODP DH groups. Since [[AndroidVPNClient#170-2016-12-08|1.7.0]] ChaCha20/Poly1305 authenticated encryption and Curve25519-based DH is also supported and proposed. And since [[AndroidVPNClient#195-2017-11-17|1.9.5]] a custom ESP proposal may be configured.
62 58 Tobias Brunner
 * Since the app runs with reduced privileges (it can't open RAW/PACKET sockets), it is limited to use UDP-encapsulated ESP, which it sends/receives via the UDP sockets used for IKE. So UDP-encapsulation is [[NatTraversal#UDP-Encapsulation-of-ESP|always enforced]], even if there is no NAT between client and server, by sending a random NAT-D payload.
63 1 Tobias Brunner
64 27 Tobias Brunner
 * The app is not compatible with Google's "Project Fi":https://fi.google.com, which provides its own always-on VPN connection. To use the app this has to be disabled first using the following procedure.
65 22 Tobias Brunner
66 22 Tobias Brunner
   {{collapse(How-to disable Project Fi's always-on VPN)
67 22 Tobias Brunner
The always-on VPN connection can't be disabled without disabling the _Wi-Fi Assistant_ first:
68 22 Tobias Brunner
# In _Settings_ click _Google_
69 22 Tobias Brunner
# Click _Network_
70 22 Tobias Brunner
# Turn off the _Wi-Fi Assistant_ setting
71 22 Tobias Brunner
# Restart the device
72 22 Tobias Brunner
73 22 Tobias Brunner
Then turn off the always-on VPN connection:
74 22 Tobias Brunner
# In _Settings_ click _More_ under _Wireless & Networks_
75 22 Tobias Brunner
# Click _VPN_
76 22 Tobias Brunner
# Click the gear next to the _Wi-Fi Assistant_
77 22 Tobias Brunner
# Make sure "Always On" is not active
78 1 Tobias Brunner
}}
79 27 Tobias Brunner
80 37 Tobias Brunner
 * If you don't get a list of installed apps to exclude/include from the VPN you might have to explicitly allow the strongSwan app to get this list. For instance, on the Huawei Mate 9 via _Phone Manager > Permissions_.
81 37 Tobias Brunner
82 34 Tobias Brunner
 * It might be necessary to exclude the app from any battery saver feature on the system (e.g. on the Xiaomi MIUI8).
83 34 Tobias Brunner
84 27 Tobias Brunner
 * Apps that create a screen overlay, such as _Twilight_ or _Night Mode_, might interfere with the dialog to grant the app permission to create a VPN connection (unable to tap _OK/Grant_). If that's the case, temporarily disable any such app or, if possible, whitelist/exclude the _VPNDialogs_ system app from this feature.
85 22 Tobias Brunner
86 17 Tobias Brunner
 * *Note:* There are some serious issues on Android 4.4 before 4.4.3 (see #462)
87 21 Tobias Brunner
88 4 Tobias Brunner
 * If you have problems with the app, find bugs or have feature requests you may open a new "issue report":https://wiki.strongswan.org/projects/strongswan/issues (please use the search function first to avoid duplicates). You may also send us the log file via email directly from within the app.
89 4 Tobias Brunner
90 21 Tobias Brunner
h2. Further Information
91 9 Noel Kuntze
92 26 Tobias Brunner
 * [[AndroidVPNClientProfiles|File format for VPN profiles]]
93 21 Tobias Brunner
 * [[AndroidVPNClientBuild|How to build the app from sources]]
94 21 Tobias Brunner
 * [[AndroidVPNClientPrivacyPolicy|Privacy Policy]]
95 2 Tobias Brunner
96 48 Tobias Brunner
h2. Beta Testing
97 48 Tobias Brunner
98 48 Tobias Brunner
Sometimes we publish beta versions of our app on Google Play. If you'd like to try new features and provide us with valuable feedback, please "opt-in here":https://play.google.com/apps/testing/org.strongswan.android, or directly from the app's page in the Play store.
99 48 Tobias Brunner
100 1 Tobias Brunner
h2. Changelog
101 1 Tobias Brunner
102 57 Tobias Brunner
h3. 2.3.0 (2020-06-02)
103 57 Tobias Brunner
104 57 Tobias Brunner
* Several changes try to improve reachability even in Android's deep sleep phases (#3364)
105 57 Tobias Brunner
** An Android-specific scheduler (based on AlarmManager) and whitelisting from the system's battery optimization (the user is automatically asked to do so) ensures the app is woken at the scheduled times, which ensure that events (in particular for NAT keepalives) are triggered accurately
106 57 Tobias Brunner
** DPDs are sent if no NAT keepalive has been sent for a while
107 57 Tobias Brunner
** DPDs are sent after address/routing changes even if the path to the peer stays the same
108 57 Tobias Brunner
** Lifetimes are slightly increased to avoid conflicts even with inaccurate scheduling (IKE_SA overtime is now 30m instead of 10m, CHILD_SA lifetime is 2.5h instead of 1h, rekeyings are initiated ~30m before that)
109 57 Tobias Brunner
* Fixes the app icon on Android < 5.0
110 57 Tobias Brunner
* Fixes a possible crash via QuickSettings tile on some devices
111 57 Tobias Brunner
112 56 Tobias Brunner
h3. 2.2.1 (2019-11-19)
113 56 Tobias Brunner
114 56 Tobias Brunner
* Fixes loading CRL/OCSP via HTTP on Android 9, which defaults to HTTPs only (#3273)
115 56 Tobias Brunner
116 55 Tobias Brunner
h3. 2.2.0 (2019-10-15)
117 55 Tobias Brunner
118 55 Tobias Brunner
* Makes the client identity configurable (via advanced settings and [[AndroidVPNClientProfiles|profiles]]) also when using EAP authentication (#3134)
119 55 Tobias Brunner
** The certificate identity is now configured using the same text field (with auto-completion for SANs) instead of a drop-down field (just leave it empty to use the certificate's subject DN as identity)
120 55 Tobias Brunner
* Fixes an issue with ECDSA certificate selection on Android 10 (#3196)
121 55 Tobias Brunner
** Note that Android 10 doesn't show the dialog (with a button to install certs) if no certificates are found. Installation has to happen via [[AndroidVPNClientProfiles|profile]] or externally
122 55 Tobias Brunner
* Fixes an issue with break-before-make reauthentication (used if MOBIKE is not supported) if the server concurrently deletes the IKE_SA
123 55 Tobias Brunner
* Uses a different API (@ConnectivityManager.registerNetworkCallback@ instead of the deprecated @ConnectivityManager.CONNECTIVITY_ACTION@) to detect network changes on Android 7 and newer
124 55 Tobias Brunner
* Fixes a potential crash on Huawei devices
125 55 Tobias Brunner
126 54 Tobias Brunner
h3. 2.1.1 (2019-04-24)
127 54 Tobias Brunner
128 54 Tobias Brunner
* Authentication via EAP-MSCHPv2 now supports UTF-8 encoded passwords
129 54 Tobias Brunner
* Fixes an issue with upgrades from older versions
130 54 Tobias Brunner
131 53 Tobias Brunner
h3. 2.1.0 (2019-03-14)
132 53 Tobias Brunner
133 53 Tobias Brunner
* Adds a copy command to duplicate an existing VPN profile
134 53 Tobias Brunner
* Allows configuring custom DNS servers for each VPN profile
135 53 Tobias Brunner
136 51 Tobias Brunner
h3. 2.0.2 (2018-10-17)
137 51 Tobias Brunner
138 51 Tobias Brunner
* Fixes potential DNS leaks caused by "a bug in Android 9":https://issuetracker.google.com/issues/116257079
139 51 Tobias Brunner
* Fixes clicking some buttons (certificate selection, app selection) with keyboard navigation (also affects e.g. Fire TV sticks) when running on Android < 8 
140 51 Tobias Brunner
* Fixes an issue with the QuickSettings tile on some devices where the callback is called even if no tile is available
141 51 Tobias Brunner
* Fixes profile selection/edit when the device is rotated
142 51 Tobias Brunner
143 50 Tobias Brunner
h3. 2.0.1 (2018-07-04)
144 50 Tobias Brunner
145 50 Tobias Brunner
* Removes support for EAP-PEAP/TTLS as it caused major issues with commercial VPN services (one issue was that the server identity was initially enforced as AAA identity, but changing that revealed that some providers use self-signed AAA server certificates - not sure what clients accept that), hopefully proper support can be added in a future version
146 50 Tobias Brunner
* Fixes a possible crash related to Android 8's optional Autofill feature ("the bug that causes it":https://issuetracker.google.com/issues/67675432 was apparently fixed with Android 8.1, but has not been backported)
147 50 Tobias Brunner
148 49 Tobias Brunner
h3. 2.0.0 (2018-07-03)
149 42 Tobias Brunner
150 42 Tobias Brunner
* Supports the Always-on VPN feature on Android 7+ (#2179)
151 42 Tobias Brunner
** Android 8 only starts the VPN service after the user has unlocked the device after a reboot
152 42 Tobias Brunner
** Android 7 immediately starts the VPN service after booting, but that means the app has no access to the KeyChain yet (if certificates are used), so no VPN connection can be established until the user unlocks the device
153 45 Tobias Brunner
** If password authentication is used and the password is not stored in the profile, the connection is aborted and the user has to manually retry connecting to enter the password
154 45 Tobias Brunner
** The "Block connections without VPN" system option on Android 8+ blocks all traffic not sent via VPN without considering any subnets/apps that are excluded from a VPN (i.e. that feature is not compatible with split-tunneling)
155 42 Tobias Brunner
* Adds a Quick Settings tile on Android 7+ to quickly initiate/terminate the VPN connection (#2398)
156 42 Tobias Brunner
** Similar to the Always-on feature, Android 8 doesn't enable the Quick Settings tile until the user unlocked the device after a reboot
157 42 Tobias Brunner
** Disconnecting via tile from the lock screen requires the user to unlock the device, connecting is possible without (unless a password has to be entered)
158 42 Tobias Brunner
* The new settings activity allows specifying a default VPN profile used for the two features above (the default is to initiate the most recently used profile)
159 42 Tobias Brunner
* The app automatically tries to reconnect the VPN profile if fatal errors occur (e.g. authentication failures). The retries are delayed by an exponential backoff, which is currently capped at 2 minutes
160 42 Tobias Brunner
** The status screen in the main activity as well as the notification show a countdown until the next automatic retry, manually retrying is possible from both locations
161 42 Tobias Brunner
* On Android 5+ a dummy VPN interface is installed while connecting to a VPN profile, or recovering from errors, to block unencrypted traffic, while taking excluded subnets/apps configured in the profile into account
162 42 Tobias Brunner
** Note that this VPN interface is removed when the VPN is disconnected
163 42 Tobias Brunner
* Errors are not shown in a modal dialog anymore in the main activity, but in a banner directly above the status information (with buttons to view the log and retry connecting)
164 45 Tobias Brunner
* Uses a separate activity to initiate/terminate/retry VPN profiles, which avoids having to bring the main Activity to the foreground for these actions
165 1 Tobias Brunner
* Adds options to disable OCSP/CRL fetching (e.g. if it's known the server is not available, or if CRLs are too large)
166 45 Tobias Brunner
* Adds an option to enable strict revocation checking via OCSP/CRL. If enabled, the authentication will fail if the revocation status of the server certificate is unknown (e.g. because no valid CRL is available)
167 42 Tobias Brunner
* Fetching OCSP/CRL can now be aborted immediately (e.g. to cancel connecting if an OCSP server is not reachable)
168 50 Tobias Brunner
* -Basic support for EAP-TTLS/EAP-PEAP has been added (#2392)- Had to be removed again with [[AndroidVPNClient#201-2018-07-04|2.0.1]]
169 42 Tobias Brunner
* Adds an option to use PSS encoding for RSA signatures instead of the classic PKCS#1 encoding (#2367)
170 42 Tobias Brunner
* The explicit ESP proposals for the deprecated Suite B have been removed
171 1 Tobias Brunner
* Adds more clear error messages if permission for VPNs can't be acquired (e.g. because another app has the Always-on VPN feature enabled)
172 49 Tobias Brunner
* The date/time/thread is shown in the log view if enough space is available (e.g. on tablets or even in landscape orientation on phones), it should also be more efficient when displaying large logs
173 47 Tobias Brunner
* Removes the MIME-type filter when importing trusted certificates, allowing the import of certificates even if they don't have an X.509 related MIME-type set
174 44 Tobias Brunner
* All VPN profiles now have a random UUID assigned (its value may be copied from the profile editor e.g. to initiate/terminate a VPN profile via explicit Intent)
175 30 Tobias Brunner
176 40 Tobias Brunner
h3. 1.9.6 (2018-02-08)
177 40 Tobias Brunner
178 40 Tobias Brunner
* Always sends the client certificate (if applicable) instead of only after receiving a certificate request (allows servers that accept certificates from lots of CAs to avoid sending certificate requests)
179 40 Tobias Brunner
180 38 Tobias Brunner
h3. 1.9.5 (2017-11-17)
181 38 Tobias Brunner
182 38 Tobias Brunner
* Makes the IKE and/or ESP algorithms configurable
183 39 Tobias Brunner
* Removes _modp1024_ from the default IKEv2 proposal. If the server only allows this DH group, a custom IKE proposal has to be configured in the VPN profile
184 38 Tobias Brunner
185 35 Tobias Brunner
h3. 1.9.4 (2017-09-18)
186 35 Tobias Brunner
187 35 Tobias Brunner
* Adds support for delta CRLs
188 35 Tobias Brunner
* Fixes issues with fragmented IP packets ("gh#80":https://github.com/strongswan/strongswan/pull/80)
189 35 Tobias Brunner
* Ensures expires are triggered for the correct IPsec SA (#2399)
190 35 Tobias Brunner
* Fixes an issue with multicast addresses when using split tunneling on older Android releases (#2420)
191 35 Tobias Brunner
* Does not consider a DH group mismatch as failure anymore as responder of a CHILD_SA rekeying (commit:e7276f78aa)
192 35 Tobias Brunner
193 33 Tobias Brunner
h3. 1.9.3 (2017-09-04)
194 33 Tobias Brunner
195 33 Tobias Brunner
* Adds support to verify server certificates via OCSP(Online Certificate Status Protocol)
196 33 Tobias Brunner
* Caches CRLs in the app directory (#2405)
197 33 Tobias Brunner
* The CRL cache may be cleared via main menu
198 33 Tobias Brunner
* Adds a button to reconnect the VPN profile to the "currently connected" dialog
199 33 Tobias Brunner
* Don't apply/configure app selection on Android < 5 (the API is not supported there)
200 33 Tobias Brunner
* Initiator SPIs are reset when retrying while reconnecting, which might avoid issues with @INVALID_KE_PAYLOAD@ notifies
201 33 Tobias Brunner
* Catches some random exceptions (as seen in Play Console)
202 33 Tobias Brunner
203 32 Tobias Brunner
h3. 1.9.2 (2017-07-04)
204 32 Tobias Brunner
205 32 Tobias Brunner
* Fixes a crash on Android <= 5
206 32 Tobias Brunner
* Fixes database update when updating from app versions < 1.8.0
207 32 Tobias Brunner
208 31 Tobias Brunner
h3. 1.9.1 (2017-07-03)
209 31 Tobias Brunner
210 31 Tobias Brunner
* Fixes a crash with pre-existing profiles
211 31 Tobias Brunner
212 30 Tobias Brunner
h3. 1.9.0 (2017-07-03)
213 30 Tobias Brunner
214 30 Tobias Brunner
* Adds support for split-tunneling on the client (only route specific traffic via VPN and/or exclude specific traffic from the VPN)
215 30 Tobias Brunner
* Adds support for per-app VPN (either allow only specific apps to use the VPN or exclude certain apps from using it)
216 30 Tobias Brunner
* Sending of certificate requests may be disabled (while this allows reducing the size of the IKE_AUTH message, e.g. if fragmentation is not supported, it only works if the server also sends its certificate if it didn't receive any certificate requests)
217 30 Tobias Brunner
* NAT-T keepalive interval is now configurable (#2365)
218 30 Tobias Brunner
* [[AndroidVPNClientProfiles|VPN profiles]] may be imported via SAF(Storage Access Framework) and allow the configuration of the new settings
219 30 Tobias Brunner
* CRLs are now fetched with a simple Android-specific HTTP/S fetcher
220 30 Tobias Brunner
* Adds a disconnect button in the permanent notification (#2309)
221 30 Tobias Brunner
* The log view should now be more efficient (#2148)
222 30 Tobias Brunner
* Fixes the handling of backslashes in usernames
223 30 Tobias Brunner
* Adds a Traditional Chinese translation
224 26 Tobias Brunner
225 29 Tobias Brunner
h3. 1.8.2 (2017-02-20)
226 29 Tobias Brunner
227 29 Tobias Brunner
* Fixes an issue while disconnecting on certain devices (#2251)
228 29 Tobias Brunner
229 28 Tobias Brunner
h3. 1.8.1 (2017-02-07)
230 28 Tobias Brunner
231 28 Tobias Brunner
* Adds Simplified Chinese translation
232 28 Tobias Brunner
233 26 Tobias Brunner
h3. 1.8.0 (2017-01-20)
234 26 Tobias Brunner
235 26 Tobias Brunner
* Adds support to [[AndroidVPNClientProfiles|import VPN profiles]] from JSON-encoded files
236 19 Tobias Brunner
237 25 Tobias Brunner
h3. 1.7.2 (2016-12-10)
238 25 Tobias Brunner
239 25 Tobias Brunner
* Re-adds support for the ECC Brainpool DH groups (BoringSSL doesn't provide these)
240 25 Tobias Brunner
241 24 Tobias Brunner
h3. 1.7.1 (2016-12-09)
242 1 Tobias Brunner
243 25 Tobias Brunner
* Fixes a crash (regarding libtpmtss.so) on older Android systems
244 24 Tobias Brunner
245 23 Tobias Brunner
h3. 1.7.0 (2016-12-08)
246 23 Tobias Brunner
247 23 Tobias Brunner
* Adds a permanent notification while connected (or connecting) that shows the current status and which allows running the VpnService instance as foreground service. This in turn should prevent Android from terminating it when low on memory.
248 23 Tobias Brunner
* Supports the ChaCha20/Poly1305 AEAD and Curve25519 DH algorithms
249 23 Tobias Brunner
* Properly validates entered server port and MTU values in the GUI
250 23 Tobias Brunner
* Logs the installed DNS servers
251 23 Tobias Brunner
* Uses BoringSSL instead of OpenSSL
252 23 Tobias Brunner
* Based on strongSwan version:5.5.1
253 19 Tobias Brunner
254 1 Tobias Brunner
h3. 1.6.2 (2016-05-06)
255 20 Tobias Brunner
256 25 Tobias Brunner
* Fixes a crash when importing CA/server certificates via SAF(Storage Access Framework)
257 18 Tobias Brunner
258 18 Tobias Brunner
h3. 1.6.1 (2016-05-04)
259 18 Tobias Brunner
260 18 Tobias Brunner
* Fixes an interoperability issue with Windows Server. version:5.4.0 changed the order of the algorithms in the default IKE proposal.  Algorithms that provide a security of less than 128-bit were moved to the end of the list. Now Windows Server 2012 R2 (in its default configuration at least) only supports _modp1024_. The problem is that Microsoft's IKEv2 implementation only seems to consider the first fifteen algorithms of a specific transform type in the proposal. Because strongSwan supports [[IKEv2CipherSuites#Diffie-Hellman-Groups|quite a lot of DH groups]] and due to the reordering _modp1024_ was now at position 17 in the proposal, which meant Microsoft Server rejected the IKE_SA_INIT message with a NO_PROPOSAL_CHOSEN error.  This has been fixed by removing some of the weaker and rarely used DH groups from the default proposal (commit:fae18fd201).
261 18 Tobias Brunner
* Also corrects the label for the password field in the login dialog
262 16 Tobias Brunner
263 16 Tobias Brunner
h3. 1.6.0 (2016-05-02)
264 16 Tobias Brunner
265 16 Tobias Brunner
* Based on version:5.4.0, which e.g. adds support for IKEv2 redirection
266 16 Tobias Brunner
* Configuration of the server identity. If it is set the identity is sent as IDr during authentication and must match the server's identity exactly (i.e. it disables loose identity matching against all subjectAltNames, see #1268)
267 16 Tobias Brunner
* Selection of the client identity if certificate authentication is used (see #1403)
268 16 Tobias Brunner
* GUI changes:
269 16 Tobias Brunner
** Removed the progress dialogs during dis-/connecting
270 16 Tobias Brunner
** Redesign of the profile editor (reordered, floating labels, helper texts, "gateway"->"server")
271 16 Tobias Brunner
** Tabs in CA certificate manager have been updated (sliding tabs with ViewPager)
272 16 Tobias Brunner
** Switched to the AppCompat theme (Material-like)
273 6 Tobias Brunner
* Increases the NAT-T keepalive interval to 45s (#1326), no attempt to send keepalives is made anymore if there is no connectivity
274 6 Tobias Brunner
* Fixed the font in the log view on Android 5+
275 6 Tobias Brunner
* Native 64-bit build
276 6 Tobias Brunner
277 6 Tobias Brunner
h3. 1.5.0 (2015-07-28)
278 6 Tobias Brunner
279 6 Tobias Brunner
* Based on version:5.3.2
280 6 Tobias Brunner
* Roaming between networks on Android 5 and newer has been fixed (#865)
281 6 Tobias Brunner
* Adds new advanced profile settings:
282 6 Tobias Brunner
** A custom MTU can be specified (currently between 1280 and 1500)
283 6 Tobias Brunner
** The server port can be changed (default is 500, with a switch to 4500 - there is no switch if a custom port is set), #847
284 6 Tobias Brunner
** Split tunneling can be disabled by blocking all traffic that is not destined for the VPN
285 1 Tobias Brunner
*** Only on Android 5 and newer will split tunneling fully work if only one address family is tunneled via VPN (#782)
286 1 Tobias Brunner
* Sets the preferred language for remediation instructions to the system language
287 6 Tobias Brunner
* EAP-TNC does not require a client certificate anymore
288 5 Tobias Brunner
* Fixes a linker issue on Android M
289 5 Tobias Brunner
290 5 Tobias Brunner
h3. 1.4.6 (2015-06-08)
291 5 Tobias Brunner
292 2 Tobias Brunner
* Fix for "CVE-2015-4171":https://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html.
293 2 Tobias Brunner
294 2 Tobias Brunner
h3. 1.4.5 (2014-11-06)
295 8 Tobias Brunner
296 2 Tobias Brunner
* Based on version:5.2.1 including improved MOBIKE handling and support for IKEv2 fragmentation
297 21 Tobias Brunner
* Enables optional PFS(Perfect Forward Secrecy) for IPsec SAs.  Proposed are cipher suites with and without DH groups, so it's up to the VPN server whether PFS is used or not.
298 8 Tobias Brunner
* Adds basic support for EAP-TLS. Limitations are:
299 21 Tobias Brunner
** EAP-only authentication is not allowed because the AAA identity is not configurable. So to prevent anyone with a valid certificate from impersonating the AAA server and thus the VPN server, the server is authenticated with a certificate (like we do with other authentication methods)
300 21 Tobias Brunner
** It's currently not possible to select a specific CA certificate to authenticate the AAA server certificate, so it either must be issued by the same CA as that of the VPN server or automatic CA certificate selection must be enabled in the VPN profile
301 2 Tobias Brunner
302 2 Tobias Brunner
h3. 1.4.0 (2014-07-22)
303 2 Tobias Brunner
304 2 Tobias Brunner
* Adds the ability to import CA and server certificates directly into the app. On Android 4.4+ the "SAF(Storage Access Framework)":https://developer.android.com/guide/topics/providers/document-provider.html is used to allow users to browse for certificate files (if the MIME-type is not set properly the advanced view has to be used to see all files). On older systems the files may be opened from third-party file managers
305 2 Tobias Brunner
* The GUI indicates if the connection is being reestablished
306 2 Tobias Brunner
* A DNS proxy resolves the VPN server's hostname while reestablishing (plaintext is blocked otherwise)
307 2 Tobias Brunner
* Supports ECDSA private keys on recent Android systems (tested on Android 4.4.4)
308 2 Tobias Brunner
309 2 Tobias Brunner
h3. 1.3.4 (2014-04-25)
310 2 Tobias Brunner
311 2 Tobias Brunner
* Based on version:5.1.3 (fixes a security vulnerability)
312 2 Tobias Brunner
* Links libcrypto (OpenSSL) statically
313 2 Tobias Brunner
* Doesn't limit the number of packets during EAP-TTLS
314 2 Tobias Brunner
315 2 Tobias Brunner
h3. 1.3.3 (2013-11-13)
316 2 Tobias Brunner
317 2 Tobias Brunner
* Based on version:5.1.1
318 2 Tobias Brunner
* Fixed issues with IV generation and padding length calculation for AES-GCM
319 2 Tobias Brunner
* Removes the Vstr dependency
320 2 Tobias Brunner
321 2 Tobias Brunner
h3. 1.3.2 (2013-09-26)
322 2 Tobias Brunner
323 2 Tobias Brunner
* Fixed a regression causing remediation instructions to pile up (EAP-TNC)
324 2 Tobias Brunner
325 2 Tobias Brunner
h3. 1.3.1 (2013-09-23)
326 2 Tobias Brunner
327 2 Tobias Brunner
* Improved recovery after certain connectivity changes
328 2 Tobias Brunner
329 2 Tobias Brunner
h3. 1.3.0 (2013-07-08)
330 2 Tobias Brunner
331 2 Tobias Brunner
* Added support for [[BYOD|EAP-TNC]]
332 2 Tobias Brunner
* Disabled listening on IPv6 because the Linux kernel currently does not support UDP encapsulation of ESP packets for IPv6
333 2 Tobias Brunner
334 17 Tobias Brunner
h3. 1.2.3 (2013-05-03)
335 2 Tobias Brunner
336 2 Tobias Brunner
* Added support for AES-GCM
337 2 Tobias Brunner
* Support for IPv6-in-IPv4 tunnels
338 2 Tobias Brunner
* Uses kernel-netlink to handle interface/IP address enumeration
339 2 Tobias Brunner
340 2 Tobias Brunner
h3. 1.2.2 (2013-03-07)
341 2 Tobias Brunner
342 2 Tobias Brunner
* Added support for combined certificate/EAP authentication (RFC 4739)
343 2 Tobias Brunner
* Added Polish, Ukrainian, and Russian translations
344 2 Tobias Brunner
* Fixed a race condition during reauthentication and a potential freeze while disconnecting
345 17 Tobias Brunner
346 2 Tobias Brunner
h3. 1.2.1 (2012-11-21)
347 2 Tobias Brunner
348 1 Tobias Brunner
* Added shortcuts to VPN profiles to quickly start specific connections from the launcher
349 2 Tobias Brunner
* Added a confirmation dialog if a connection is started but one is already established
350 2 Tobias Brunner
* Fixed a few Android 4.2 specific issues
351 2 Tobias Brunner
352 2 Tobias Brunner
h3. 1.2.0 (2012-10-18)
353 2 Tobias Brunner
354 2 Tobias Brunner
* Added support for MOBIKE e.g. allows switching between different interfaces (e.g. Wifi and 3G/4G)
355 2 Tobias Brunner
* The app tries to keep the connection established until the user disconnects manually
356 2 Tobias Brunner
357 17 Tobias Brunner
h3. 1.1.3 (2012-09-24)
358 2 Tobias Brunner
359 2 Tobias Brunner
* Workaround for a private key issue on Android 4.1
360 2 Tobias Brunner
361 8 Tobias Brunner
h3. 1.1.2 (2012-09-18)
362 2 Tobias Brunner
363 21 Tobias Brunner
* Added loose ID matching: While the client expects the hostname/IP of the VPN server to be contained as subjectAltName in the certificate this allows the responder to use a different IDr than that, as long as it is confirmed by the certificate (the client does not send an IDr anymore)
364 2 Tobias Brunner
365 17 Tobias Brunner
h3. 1.1.1 (2012-09-17)
366 2 Tobias Brunner
367 2 Tobias Brunner
* Fixed a Unicode issue when converting Java to C strings
368 2 Tobias Brunner
369 2 Tobias Brunner
h3. 1.1.0 (2012-09-06)
370 1 Tobias Brunner
371 1 Tobias Brunner
* Added certificate authentication and fixed reauthentication