IPsec Roadwarrior from android

odongarma · 7 December 2022 12:25

I wonder how can someone configure the IPSec VPN on android.

I set up (at ipfire) a new IPsec Host-to-Net Tunnel using certificates.

How to setup under android?

What type of VPN to choose? I guess “IPSec Xauth RSA”??

Greetz

tphz · 7 December 2022 14:17

I wonder if you can use the Strongswan client.
I can’t check it at the moment.

bonnietwin · 7 December 2022 14:48

No. That is the older v1 version of IKE (Internet Key Exchange) which is not as secure as IKEv2

You want to use IKEv2/IPSec RSA if you are using certificates.

odongarma · 8 December 2022 09:12

Thanks for the quick answers.

I’m curious to know, is it even possible to setup the VPN on android using only the built in feature eq. without installing third-party software?

currenly i can choose:

~~PPTP~~ → dead
L2TP / IPSec PSK
L2TP / IPSec RSA
IPSec Xauth PSK
IPSec Xauth RSA
IPSec Hybrid RSA

Greetz

bonnietwin · 8 December 2022 09:28

What version of Android are you using?

My phone is on Android 11 but even my old tablet on Android 6.0.1 has IPSec IKEv2

When you select the type of the VPN Network you get a little table with the entries you showed. Apologies for this question but, just to check, did you scroll the entries in that list. On my phone I only see 4 entries at a time but the list has a total of 9 entries and the IKEv2/IPSec ones are at the end of the list on my phone and you have to scroll the list with your finger.

If the list really only has those 6 entries then you will need to look at using a third party app.

EDIT:
Searching I have found an Android document that indicates that the native IKEv2/IPSec clients are only available on Android 11 and later. Android 10 and lower only have IKEv1 as the native client.

It looks like the manufacturer of the tablet I have, added the IKEv2 option themselves on top of the base android availability.

So it looks like if your device can’t be upgraded to Android 11 or later, that you will have to use a third party app such as Strongswan suggested by @tphz

odongarma · 8 December 2022 14:55

That’s interesting!

I testet two phones, both running android 11.

One has the IKEv2/IPSec option (Samsung) and the other don’t (Motorola).

So maybe this really depends on manufacturer? It’s really strange.

But, this was only a question. I’ll keep this in mind.

@bonnietwin Big thanks to you!!

Greetz

bonnietwin · 8 December 2022 17:35

I did a bit more searching and it appears that Android 11 has a set of capabilities defined by the Android development group.

However some device manufacturers do adjust what is available with Android.

It looks like Motorola has rather surprisingly decided to remove or block the more secure, newer key exchange process from their version of Android 11 for some reason.

My phone is a Samsung one, which then matches with what you found.

So you should be able to go with IKEv2 on the Samsung but will have to use something like the Strongswan app for the Motorola.