Configuring IPsec IKEv2 Remote Access VPN Clients on Android¶
This document demonstrates how to configure an IKEv2 connection on Android.
The native IPsec IKEv2 client on Android does not support EAP-TLS, but it does support EAP-RADIUS. For consistency, this document focuses on using the strongSwan app which supports both.
This procedure was tested on Android 14 and Android 13 but the procedure is identical on most versions from the last several years.
Note
Android considers using a VPN an action that must be secure. When activating any VPN option the OS will force the user to add a lock method to the device if one is not already present. It does not matter which type of lock is chosen (PIN lock, Pattern lock, Fingerprint, Password, etc.) but it will not allow a VPN to be configured until a secure lock has been added.
On most Android devices with Face lock, that is not available as a secure lock type on its own. This varies based on hardware and Android version. For example it is considered secure on Pixel 4XL and on Pixel 8 Pro, but not on models in between.
Prerequisites¶
Before starting:
Setup TNSR as an IKEv2 server as described in either IPsec Remote Access VPN using IKEv2 with EAP-TLS or IPsec Remote Access VPN using IKEv2 with EAP-RADIUS.
Install the strongSwan app from the Play Store on the client device
Export the CA certificate used to sign the server certificate and save it as a
.crt
file (EAP-RADIUS)Export a PKCS#12 bundle for the user certificates (EAP-TLS)
Copy the exported file(s) to the client
Configuration¶
EAP-TLS¶
Open the strongSwan app
Tap Add VPN Profile
Set the Server to the IP address or FQDN of the server
Set VPN Type to IKEv2 EAP-TLS (Certificate)
Tap Install User Certificate
Locate the
.p12
file for the client on the device and tap itEnter the password used when exporting the PKCS#12 bundle
Tap OK
Confirm or adjust the name of the certificate
Tap OK
Select the newly added certificate from the presented list
Tap Select
Check Select Automatically under CA Certificate
Enter a Profile Name to set a custom name, or leave blank to use the Server value.
Tap Save
Other advanced options can be adjusted if necessary.
EAP-RADIUS¶
Open the strongSwan app
Tap Add VPN Profile
Set the Server to the IP address or FQDN of the server
Set VPN Type to IKEv2 EAP (Username/Password)
Set Username to match the username for this client in RADIUS
Though the Password can also be saved, doing so is less secure. The best practice is to enter the password for each connection whem prompted.
Uncheck Select automatically under CA certificate
Tap Select CA Certificate
Tap the three dots in the upper right to open the menu
Tap Import certificate
Tap the CA certificate copied to the device earlier
Tap Import Certificate to confirm
Tap the three dots in the upper right to open the menu
Tap Reload CA certificates
Tap the Imported tab
Select the newly added certificate from the presented list
Enter a Profile Name to set a custom name, or leave blank to use the Server value.
Tap Save
Other advanced options can be adjusted if necessary.
Split Tunneling¶
The strongSwan app on Android will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.
If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.
The client includes options to override this behavior under the Advanced settings on the client configuration. There is a section for Split Tunneling which contains a field to define networks to send across the VPN and another field which defines subnets to exclude from using the VPN.
Connecting and Disconnecting¶
To Connect:
Open the strongSwan app
Tap the desired VPN
Check I trust this application at the security prompt if one appears
Tap OK
Enter the Password and click Connect if prompted to do so (e.g. EAP-RADIUS without stored credentials.)
To Disconnect:
Swipe down from the top notification bar
Tap the strongSwan entry in the notification list
Tap Disconnect
Alternately:
Open the strongSwan app
Tap Disconnect on the desired VPN