Tip

This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.

Configuring IPsec IKEv2 Remote Access VPN Clients on Android

This document demonstrates how to configure an IKEv2 EAP-TLS connection on Android using the strongSwan app. The native IPsec IKEv2 client on Android does not support EAP-TLS. This procedure was tested on Android 14 and Android 13 but the procedure is identical on most versions from the last several years.

Note

Android considers using a VPN an action that must be secure. When activating any VPN option the OS will force the user to add a lock method to the device if one is not already present. It does not matter which type of lock is chosen (PIN lock, Pattern lock, Fingerprint, Password, etc.) but it will not allow a VPN to be configured until a secure lock has been added.

On most Android devices with Face lock, that is not available as a secure lock type on its own. This varies based on hardware and Android version. For example it is considered secure on Pixel 4XL and on Pixel 8 Pro, but not on models in between.

Prerequisites

Before starting:

• Setup TNSR as an EAP-TLS server as described in IPsec Remote Access VPN using IKEv2 with EAP-TLS

• Install the strongSwan app from the Play Store on the client device

• Export a PKCS#12 bundle for the user certificates

• Copy the PKCS#12 bundle to the client

Configuration

• Open the strongSwan app

• Tap Add VPN Profile

• Set the Server to the IP address or FQDN of the server

• Set VPN Type to IKEv2 EAP-TLS (Certificate)

• Tap Install User Certificate

• Locate the .p12 file for the client on the device and tap it

• Enter the password used when exporting the PKCS#12 bundle

• Tap OK

• Confirm or adjust the name of the certificate

• Tap OK

• Select the newly added certificate from the presented list

• Tap Select

• Check Select Automatically under CA Certificate

• Enter a Profile Name to set a custom name, or leave blank to use the Server value.

• Tap Save

Other advanced options can be adjusted if necessary.

Split Tunneling

The strongSwan app on Android will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.

If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.

The client includes options to override this behavior under the Advanced settings on the client configuration. There is a section for Split Tunneling which contains a field to define networks to send across the VPN and another field which defines subnets to exclude from using the VPN.

Connecting and Disconnecting

To Connect:

• Open the strongSwan app

• Tap the desired VPN

• Check I trust this application at the security prompt if one appears

• Tap OK

To Disconnect:

• Swipe down from the top notification bar

• Tap the strongSwan entry in the notification list

• Tap Disconnect

Alternately:

• Open the strongSwan app

• Tap Disconnect on the desired VPN