2
0
mirror of https://github.com/opnsense/docs synced 2024-11-05 06:00:36 +00:00
opensense-docs/source/manual/how-tos/ipsec-rw-android.rst

89 lines
2.7 KiB
ReStructuredText
Raw Normal View History

==================================
IPsec: Setup Android Remote Access
==================================
.. contents:: Index
Here you can see the configuration options for all compatible VPN types.
We assume that you are familiar with adding a new VPN connection.
All screenshot were taken from Android version 7.
----------------------------
Step 1 - Install Certificate
----------------------------
For all RSA or IKEv2 related VPN configurations we need to install the Root CA and sometimes also
the client certificate. Please export it do your device in a secure way like with an USB stick or a
local file exchange service like Nextcloud. Under settings search for "cert" and you will be prompted for
**Install certificates**. Navigate to the download directory and install the Root CA and - when configured -
the client certificate.
---------------------------
Step 2 - Add VPN Connection
---------------------------
Add a new VPN connection via :menuselection:`Settings --> More --> VPN`, enter a **Name** and choose the type you need.
Under **Server address** use your FQDN of the Firewall. Also keep in mind that it has to match with the
CN of your certificate! Opening **Advanced options** you can set **DNS search domains**, **DNS servers**
or **Forwarding routes**, which is the network you configured in Phase2 of your mobile VPN.
If you want to use IKEv2 you have to use the strongSwan app_ via App Store, as Android stock VPN only
supports IKEv1.
.. _app: https://play.google.com/store/apps/details?id=org.strongswan.android
See the following screenshots for the different VPN types:
------------------
Mutual PSK + XAuth
------------------
.. image:: images/ipsec_rw_android_mutualpsk1.png
:width: 60%
.. image:: images/ipsec_rw_android_mutualpsk2.png
:width: 60%
------------------
Mutual RSA + XAuth
------------------
.. image:: images/ipsec_rw_android_mutualrsa1.png
:width: 60%
.. image:: images/ipsec_rw_android_mutualrsa2.png
:width: 60%
----------------------------------
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
----------------------------------
.. image:: images/ipsec_rw_android_ikev2-mschap1.png
:width: 60%
.. image:: images/ipsec_rw_android_ikev2-mschap2.png
:width: 60%
.. image:: images/ipsec_rw_android_ikev2-mschap3.png
:width: 60%
---------------
IKEv2 + EAP-TLS
---------------
For EAP-TLS choose RSA (local)+ EAP-TLS (remote) in your OPNsense configuration.
.. image:: images/ipsec_rw_android_ikev2-cert.png
:width: 60%
---------------------------------
IKEv2 + Mutual RSA + EAP-MSCHAPv2
---------------------------------
This is the most secure combination!
.. image:: images/ipsec_rw_android_ikev2-certeap.png
:width: 60%