2018-12-24 11:49:40 +00:00
|
|
|
==================================
|
|
|
|
IPsec: Setup Android Remote Access
|
|
|
|
==================================
|
|
|
|
|
|
|
|
.. contents:: Index
|
|
|
|
|
|
|
|
Here you can see the configuration options for all compatible VPN types.
|
|
|
|
We assume that you are familiar with adding a new VPN connection.
|
|
|
|
|
|
|
|
All screenshot were taken from Android version 7.
|
|
|
|
|
|
|
|
----------------------------
|
|
|
|
Step 1 - Install Certificate
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
For all RSA or IKEv2 related VPN configurations we need to install the Root CA and sometimes also
|
|
|
|
the client certificate. Please export it do your device in a secure way like with an USB stick or a
|
|
|
|
local file exchange service like Nextcloud. Under settings search for "cert" and you will be prompted for
|
|
|
|
**Install certificates**. Navigate to the download directory and install the Root CA and - when configured -
|
|
|
|
the client certificate.
|
|
|
|
|
|
|
|
---------------------------
|
|
|
|
Step 2 - Add VPN Connection
|
|
|
|
---------------------------
|
|
|
|
|
2019-03-06 17:27:21 +00:00
|
|
|
Add a new VPN connection via :menuselection:`Settings --> More --> VPN`, enter a **Name** and choose the type you need.
|
2018-12-24 11:49:40 +00:00
|
|
|
Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
|
|
|
|
CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
|
|
|
|
or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.
|
|
|
|
|
|
|
|
If you want to use IKEv2 you have to use the strongSwan app_ via App Store, as Android stock VPN only
|
|
|
|
supports IKEv1.
|
|
|
|
|
|
|
|
.. _app: https://play.google.com/store/apps/details?id=org.strongswan.android
|
|
|
|
|
|
|
|
See the following screenshots for the different VPN types:
|
|
|
|
|
|
|
|
------------------
|
|
|
|
Mutual PSK + XAuth
|
|
|
|
------------------
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_mutualpsk1.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_mutualpsk2.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
------------------
|
|
|
|
Mutual RSA + XAuth
|
|
|
|
------------------
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_mutualrsa1.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_mutualrsa2.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
----------------------------------
|
|
|
|
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
|
|
|
----------------------------------
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_ikev2-mschap1.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_ikev2-mschap2.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_ikev2-mschap3.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
---------------
|
|
|
|
IKEv2 + EAP-TLS
|
|
|
|
---------------
|
|
|
|
|
|
|
|
For EAP-TLS choose RSA (local)+ EAP-TLS (remote) in your OPNsense configuration.
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_ikev2-cert.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
---------------------------------
|
|
|
|
IKEv2 + Mutual RSA + EAP-MSCHAPv2
|
|
|
|
---------------------------------
|
|
|
|
|
|
|
|
This is the most secure combination!
|
|
|
|
|
|
|
|
.. image:: images/ipsec_rw_android_ikev2-certeap.png
|
|
|
|
:width: 60%
|
|
|
|
|