Configuring IPsec IKEv2 Remote Access VPN Clients on Android

This document demonstrates how to configure an IKEv2 connection on Android.

The native IPsec IKEv2 client on Android does not support EAP-TLS, but it does support EAP-RADIUS. For consistency, this document focuses on using the strongSwan app which supports both.

This procedure was tested on Android 14 and Android 13 but the procedure is identical on most versions from the last several years.

Note

Android considers using a VPN an action that must be secure. When activating any VPN option the OS will force the user to add a lock method to the device if one is not already present. It does not matter which type of lock is chosen (PIN lock, Pattern lock, Fingerprint, Password, etc.) but it will not allow a VPN to be configured until a secure lock has been added.

On most Android devices with Face lock, that is not available as a secure lock type on its own. This varies based on hardware and Android version. For example it is considered secure on Pixel 4XL and on Pixel 8 Pro, but not on models in between.

Prerequisites

Before starting:

Configuration

EAP-TLS

  • Open the strongSwan app

  • Tap Add VPN Profile

  • Set the Server to the IP address or FQDN of the server

  • Set VPN Type to IKEv2 EAP-TLS (Certificate)

  • Tap Install User Certificate

  • Locate the .p12 file for the client on the device and tap it

  • Enter the password used when exporting the PKCS#12 bundle

  • Tap OK

  • Confirm or adjust the name of the certificate

  • Tap OK

  • Select the newly added certificate from the presented list

  • Tap Select

  • Check Select Automatically under CA Certificate

  • Enter a Profile Name to set a custom name, or leave blank to use the Server value.

  • Tap Save

Other advanced options can be adjusted if necessary.

EAP-RADIUS

  • Open the strongSwan app

  • Tap Add VPN Profile

  • Set the Server to the IP address or FQDN of the server

  • Set VPN Type to IKEv2 EAP (Username/Password)

  • Set Username to match the username for this client in RADIUS

    Though the Password can also be saved, doing so is less secure. The best practice is to enter the password for each connection whem prompted.

  • Uncheck Select automatically under CA certificate

  • Tap Select CA Certificate

  • Tap the three dots in the upper right to open the menu

  • Tap Import certificate

  • Tap the CA certificate copied to the device earlier

  • Tap Import Certificate to confirm

  • Tap the three dots in the upper right to open the menu

  • Tap Reload CA certificates

  • Tap the Imported tab

  • Select the newly added certificate from the presented list

  • Enter a Profile Name to set a custom name, or leave blank to use the Server value.

  • Tap Save

Other advanced options can be adjusted if necessary.

Split Tunneling

The strongSwan app on Android will automatically respect the traffic selectors configured on the server. The client does not require any manual adjustments.

If there are no traffic selectors on the server, the client will send all of its traffic, including Internet traffic, across the VPN.

The client includes options to override this behavior under the Advanced settings on the client configuration. There is a section for Split Tunneling which contains a field to define networks to send across the VPN and another field which defines subnets to exclude from using the VPN.

Connecting and Disconnecting

To Connect:

  • Open the strongSwan app

  • Tap the desired VPN

  • Check I trust this application at the security prompt if one appears

  • Tap OK

  • Enter the Password and click Connect if prompted to do so (e.g. EAP-RADIUS without stored credentials.)

To Disconnect:

  • Swipe down from the top notification bar

  • Tap the strongSwan entry in the notification list

  • Tap Disconnect

Alternately:

  • Open the strongSwan app

  • Tap Disconnect on the desired VPN