StrongSwan IKEv2 EAP-TLS VPN to Android
-
I recently spent some time getting StrongSwan IKEv2 EAP-TLS VPN working between my Android phone and pfsense 2.2.5. Thought I'd share my work.
I'm using the Strongswan Android app:
https://play.google.com/store/apps/details?id=org.strongswan.android
I am using a CyanogenMod build based on Jellybean. I tried one based on Kitkat, but something about the TUN drivers changed in that version and both StrongSwan and the OpenVPN Connect clients wouldnt work. So if you are here because OpenVPN Connect was complaining about TUN drivers, this may not help you either :(
We are going to steal shamelessly from this tutorial:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS
Essentially you follow it but read what follows for discussion and "corrections" that I used to make the connection work for me.
Certificates:
-
First open the /etc/ssl/openssl.conf file in pfsense (Diagnostics -> Edit file).
-
Search for the section titled [ usr_cert ]
-
Toward the end of that section add:
Note - this is for IPSEC/Strongswan (extendedKeyUsage and SubjectAltName)
This stuff is for subjectAltName and issuerAltname.
Import the email address.
subjectAltName=email:copy
subjectAltName=DNS:myservers.domain.name
An alternative to produce certificates that aren't
deprecated according to PKIX.
subjectAltName=email:move
extendedKeyUsage=serverAuth
Change the bolded value for subjectAltName to be your servers domain address.
-
The use the linked tutorial to add the CA, Server and client certificates. Follow the instructions carefully. I tried using an IP address for the Common name and it didn't go well. The sections about alternate names (DNS) in the server and client tags are especially important.
-
One thing I did was put a different email address in each cert which makes them easier to pick out in the logs if you are having issues.
Mobile clients:
-
I used 10.10.7.0 for the Network setting under virtual address pool (since you are probably dying to know).
-
You can make your other settings as per the linked tutorial or go your own way. I have a DNS server setup in pfsense, and defining it on this page doesn't seem to have any effect.
Phase 1:
-
My identifier: should be the Common Name that you used in your server certificate as the linked tutorial says. I notice changing the name to something else works too.
-
Peer identifier: I had to use Any to get it to work despite what the linked tutorial says.
Proposal algorithms:
Use values as per the linked tutorial. I also have had success with various other options including:
-
Encryption algorithm: AES 256
-
DH group: 16
-
Hash: SHA256
-
I have mobike enabled and setup dead peer detection for 240 seconds with 5 retries.
Phase 2:
-
Local Network: I used LAN subnet. If I used Network: 0.0.0.0/0, no traffic seems to pass between the phone and the router. I can also give it my default gateway and get traffic through.
-
NAT/BINAT are left at None.
Algorithms:
Use values as per the linked tutorial. I also had success with various other options including:
-
Encryption: AES 256
-
Hash: SHA 256
-
PFS key group: 16
-
Lifetime: 10800
-
Not pinging anything
Firewall Rules:
- Follow the steps in the linked tutorial.
Android setup:
-
Install Strongswan VPN client of course.
-
Then you export both the CA cert(.crt) and client cert (.p12) from pfsense and import them into the android phone. I coped them over USB to the phone and then used the file manager app to install them. YMMV. The Strongswan app has provisions to install certs too, but I couldn't figure out where to put the files so that it would see them.
Then in the Strongswan app, add a connection:
- Put in your gateway. I used the same address I did in my certs.
- Type: IKEv2 EAP-TLS (Certificate).
- Pick out your client certificate.
- CA cert: You can use "Select automatically" but the connection seems to happen faster if you pick out the CA cert you imported.
I didn't do anything with advanced settings.
Then hit connect and pray. If it fails you can look at the logs on both the android side and the pfsense side.
Notes:
I notice it takes a while for internet traffic to start moving through the connection (like 10 or 15 seconds). This made me waste time changing settings trying to figure out what was wrong.
Best of luck
-