VPN Profile Import for the Android VPN Client » History » Version 1

Version 1/10 - Next » - Current version
Tobias Brunner, 29.12.2016 19:39

VPN Profile Import for the Android VPN Client

The upcoming release of the strongSwan VPN Client for Android will allow importing VPN profiles from JSON files.


The app will open http(s):// URLs to .sswan files. It also opens any file with a media type of application/vnd.strongswan.profile (the file extension doesn't matter in that case). The latter should also work for email attachments if the media type is set accordingly.

Whether downloaded files for which the media type is not correct but the extension is .sswan can be opened depends on the app that starts the Intent. For instance, from Android's default Downloads app it won't work due to the content:// URLs that do not contain the original file name (it works if the media type was set correctly by the web server), but when e.g. opening the downloaded file from within Chrome's Downloads view it works as these Intents use file:// URLs that contain the complete file name.

Note that after importing the profile the user is able to edit it freely.

File Format

The file format is based on JSON. The expected encoding is UTF-8.

The top-level element in the file is an object that may or must contain the following keys. Keys of sub-objects are separated with dots.

Required Key Description
x uuid Unique identifier to identify the VPN profile. The format is defined in RFC 4122. Version 4 UUIDs (random-generated) are recommended (may be created with e.g. uuid -v4).
If a VPN profile with the same UUID already exists its settings are replaced when the profile is imported.
x name Display name of the profile.
x type Type of the VPN profile. The following values are currently supported and determine the type of client authentication that's used (the server is always authenticated with a certificate).
ikev2-eap: Username/password-based EAP authentication
ikev2-cert: Certificate authentication
ikev2-cert-eap: Certificate authentication followed by a username/password-based EAP authentication
ikev2-eap-tls: EAP-TLS certificate authentication
ikev2-byod-eap: EAP-TNC with username/password-based EAP authentication
Some of the keys described below are only relevant for certain types.
x remote Object containing information about the server.
x remote.addr The server's hostname or IP address. If no remote identity is configured this has to be contained as subjectAltName extension in the server certificate.
remote.port Optional server port (default is 500). Optional IKE identity of the server. If this is not configured it defaults to remote.addr and no IDr is sent in the IKE_AUTH request.
remote.cert Optional Base64-encoded CA or server certificate. Is imported into the app, not the system keystore. If not set, automatic CA certificate selection is enabled. So it's not necessary, if the server certificate is issued by a CA the client already trusts, or if the PKCS#12-file below contains the complete certificate chain (this might cause warnings on older Android releases, though, see AndroidVPNClient for details).
local Object containing information about the client.
local.eap_id Optional identity/username for EAP authentication. If this is required (for username/password-based EAP authentication) but not configured here, the user is prompted for it when importing the profile. If it is set the user is not able to change it while importing (but may later do so). In both cases the user may optionally enter the password while importing the profile. Optional IKE identity of the client for certificate authentication. Has to match a subjectAltName contained in the client certificate. Must not be configured if the certificate's subject DN shall be used as client identity.
local.p12 Optional Base64-encoded PKCS#12-container with the client certificate and private key and optional certificate chain (the latter might cause warnings on older Android releases, see AndroidVPNClient for details). Not necessary for username/password-based EAP authentication, or if the user already has the certificate/key installed as it may be selected while importing the profile.
split-tunneling Object containing split-tunneling settings.
split-tunneling.block-ipv4 Whether to block IPv4 traffic that's not destined for the VPN
split-tunneling.block-ipv6 Whether to block IPv6 traffic that's not destined for the VPN
mtu Optional MTU to use for the TUN device