strongSwan VPN Client for Android 4+ » History » Version 8

Version 7 (Tobias Brunner, 28.08.2015 10:57) → Version 8/58 (Tobias Brunner, 21.12.2015 11:16)

h1. strongSwan VPN Client for Android 4+

The "strongSwan VPN Client for Android 4 and newer": is an App that can be downloaded directly from "Google Play":

There are some limitations:

* Only IKEv2 is supported
* User authentication is either EAP authentication based on username/password (EAP-MSCHAPv2, EAP-MD5, EAP-GTC), RSA/ECDSA authentication with private key/certificate, or EAP-TLS with private key/certificate
* Split tunneling has to be enforced by the VPN gateway (the client proposes as remote traffic selector)
* Only a single tunnel can be established at a time
* The IPsec proposal is limited to AES encryption with SHA1/SHA2 data integrity or AES-GCM authenticated encryption

* *Important:* The hostname/IP of the VPN gateway, as configured in the VPN profile, has to be contained as subjectAltName extension in the VPN gateway's gateway certificate

* *Note:* There are some serious issues on Android 4.4 before 4.4.3 (see #462)

The client is compatible to the [[Windows7|Windows example configurations]] we provide. Since strongSwan version:5.2.1 and version 1.4.5 of the app _fragmentation=yes_ may be added to the server config to use IKEv2 fragmentation, which avoids problems with IP fragmentation during connection establishment (due to large certificates or lots of certificate requests).

The app allows creating shortcuts to initiate individual VPN profiles. These can be added to the launcher to quickly start specific connections. In combination with apps such as Llama or Tasker they also enable triggering VPN connections based on e.g. location, WiFi hotspots, system start or other events.

How to [[AndroidVPNClientBuild|build the app from sources]] is documented on a separate page.

h2. Changelog

h3. 1.5.0 (2015-07-28)

* Based on version:5.3.2
* Roaming between networks on Android 5 and newer has been fixed (#865)
* Adds new advanced profile settings:
** A custom MTU can be specified (currently between 1280 and 1500)
** The server port can be changed (default is 500, with a switch to 4500 - there is no switch if a custom port is set), #847
** Split tunneling can be disabled by blocking all traffic that is not destined for the VPN
*** Only on Android 5 and newer will split tunneling fully work if only one address family is tunneled via VPN (#782)
* Sets the preferred language for remediation instructions to the system language
* EAP-TNC does not require a client certificate anymore
* Fixes a linker issue on Android M

h3. 1.4.6 (2015-06-08)

* Fix for "CVE-2015-4171":

h3. 1.4.5 (2014-11-06)

* Based on version:5.2.1 including improved MOBIKE handling and support for IKEv2 fragmentation
* Enables optional PFS(Perfect Forward Secrecy) for IPsec SAs. Proposed are cipher suites with and without DH groups, so it's up to the VPN gateway whether PFS is used or not.
* Adds basic support for EAP-TLS. Limitations are:
** EAP-only authentication is not allowed because the AAA identity is not configurable. So to prevent anyone with a valid certificate from impersonating the AAA server and thus the VPN gateway, gateway the gateway is authenticated with a certificate (like we do with other authentication methods)
** It's currently not possible to select a specific CA certificate to authenticate the AAA server certificate, so it either must be issued by the same CA as that of the VPN gateway or automatic CA certificate selection must be enabled in the VPN profile

h3. 1.4.0 (2014-07-22)

* Adds the ability to import CA and server certificates directly into the app. On Android 4.4+ the "SAF(Storage Access Framework)": is used to allow users to browse for certificate files (if the MIME-type is not set properly the advanced view has to be used to see all files). On older systems the files may be opened from third-party file managers
* The GUI indicates if the connection is being reestablished
* A DNS proxy resolves the VPN server's hostname while reestablishing (plaintext is blocked otherwise)
* Supports ECDSA private keys on recent Android systems (tested on Android 4.4.4)

h3. 1.3.4 (2014-04-25)

* Based on version:5.1.3 (fixes a security vulnerability)
* Links libcrypto (OpenSSL) statically
* Doesn't limit the number of packets during EAP-TTLS

h3. 1.3.3 (2013-11-13)

* Based on version:5.1.1
* Fixed issues with IV generation and padding length calculation for AES-GCM
* Removes the Vstr dependency

h3. 1.3.2 (2013-09-26)

* Fixed a regression causing remediation instructions to pile up (EAP-TNC)

h3. 1.3.1 (2013-09-23)

* Improved recovery after certain connectivity changes

h3. 1.3.0 (2013-07-08)

* Added support for [[BYOD|EAP-TNC]]
* Disabled listening on IPv6 because the Linux kernel currently does not support UDP encapsulation of ESP packets for IPv6

h3. 1.2.3 (2013-05-03)

* Added support for AES-GCM
* Supports for IPv6-in-IPv4 tunnels
* Uses kernel-netlink to handle interface/IP address enumeration

h3. 1.2.2 (2013-03-07)

* Added support for combined certificate/EAP authentication (RFC 4739)
* Added Polish, Ukrainian, and Russian translations
* Fixed a race condition during reauthentication and a potential freeze while disconnecting

h3. 1.2.1 (2012-11-21)

* Added shortcuts to specific VPN profiles to quickly start specific connections from the launcher
* Added a confirmation dialog if a connection is started but one is already established
* Fixed a few Android 4.2 specific issues

h3. 1.2.0 (2012-10-18)

* Added support for MOBIKE e.g. allows switching between different interfaces (e.g. Wifi and 3G/4G)
* The app tries to keep the connection established until the user disconnects manually

h3. 1.1.3 (2012-09-24)

* Workaround for private key issue on Android 4.1

h3. 1.1.2 (2012-09-18)

* Added loose ID matching: While the client expects the hostname/IP of the VPN gateway to be contained as subjectAltName in the certificate this allows the responder to use a different IDr than that, as long as it is confirmed by the certificate (the client does not send an IDr anymore)

h3. 1.1.1 (2012-09-17)

* Fixed a unicode issue when converting Java to C strings

h3. 1.1.0 (2012-09-06)

* Added certificate authentication and fixed reauthentication