Tip
This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.
Configuring IPsec IKEv2 Remote Access VPN Clients on Android¶
This document demonstrates how to configure an IKEv2 EAP-TLS connection on Android using the strongSwan app. The native IPsec IKEv2 client on Android does not support EAP-TLS. This procedure was tested on Android 14 and Android 13 but the procedure is identical on most versions from the last several years.
Note
Android considers using a VPN an action that must be secure. When activating any VPN option the OS will force the user to add a lock method to the device if one is not already present. It does not matter which type of lock is chosen (PIN lock, Pattern lock, Fingerprint, Password, etc.) but it will not allow a VPN to be configured until a secure lock has been added.
On most Android devices with Face lock, that is not available as a secure lock type on its own. This varies based on hardware and Android version. For example it is considered secure on Pixel 4XL and on Pixel 8 Pro, but not on models in between.
Prerequisites¶
Before starting:
Setup TNSR as an EAP-TLS server as described in IPsec Remote Access VPN using IKEv2 with EAP-TLS
Install the strongSwan app from the Play Store on the client device
Export a PKCS#12 bundle for the user certificates
Copy the PKCS#12 bundle to the client
Configuration¶
Open the strongSwan app
Tap Add VPN Profile
Set the Server to the IP address or FQDN of the server
Set VPN Type to IKEv2 EAP-TLS (Certificate)
Tap Install User Certificate
Locate the
.p12
file for the client on the device and tap itEnter the password used when exporting the PKCS#12 bundle
Tap OK
Confirm or adjust the name of the certificate
Tap OK
Select the newly added certificate from the presented list
Tap Select
Check Select Automatically under CA Certificate
Enter a Profile Name to set a custom name, or leave blank to use the Server value.
Tap Save
Other advanced options can be adjusted if necessary.
Split Tunneling¶
The strongSwan app on Android will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.
If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.
The client includes options to override this behavior under the Advanced settings on the client configuration. There is a section for Split Tunneling which contains a field to define networks to send across the VPN and another field which defines subnets to exclude from using the VPN.
Connecting and Disconnecting¶
To Connect:
Open the strongSwan app
Tap the desired VPN
Check I trust this application at the security prompt if one appears
Tap OK
To Disconnect:
Swipe down from the top notification bar
Tap the strongSwan entry in the notification list
Tap Disconnect
Alternately:
Open the strongSwan app
Tap Disconnect on the desired VPN