Contents

Related Topics

Use Mobile VPN with IPSec with an Android Device

Mobile devices that run Android version 4.x and higher include a native VPN client. In some cases, hardware manufacturers modify the native Android VPN client to add options, or they include their own VPN client on the device.

To make an IPSec VPN connection to a Firebox from an Android device:

  • Your VPN client must operate in Aggressive mode.
  • The Firebox must run Fireware v11.5.1 or higher.
  • The Firebox must be configured with Phase 1 and 2 transforms that are supported by the Android device.

Recent versions of the native Android VPN client use Main mode which is not compatible with Mobile VPN with IPSec. You cannot view or change the mode setting on the native Android VPN client. However, if the hardware manufacturer of your Android device modified the native VPN client, you might be able to change this setting.

If you cannot change your device settings to Aggressive mode, we recommend that you try one of these connection methods:

  • If your hardware manufacturer installed its own VPN client on your Android device, try to connect with that client if it can operate in Aggressive mode. For more information, see the documentation from the manufacturer.
  • In the settings for the native Android VPN client, configure the L2TP with IPSec option. Next, enable L2TP on your Firebox. L2TP on the Firebox uses Main mode. For more information about L2TP, see About L2TP User Authentication.
  • Install the OpenVPN SSL client on your Android device. You must manually download the SSL client profile from the SSL Portal on your Firebox. For more information about the client profile, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

Authentication and Encryption Settings

Android devices have a pre-configured list of supported VPN transforms. Unless the hardware manufacturer of your device modified the native Android VPN client, you cannot view this list or specify different default transforms. Recent Android OS versions have these default transforms:

Phase 1 — SHA2(256)–AES(256)–DH2

Phase 2 — SHA2(256)–AES(256)

Some older versions of Android OS use these default transforms:

Phase 1 — SHA1–AES(256)–DH2

Phase 2 — SHA1–AES(256)

In some cases, the hardware manufacturer of your Android device might specify different default transforms for the native Android VPN client.

To initiate a VPN connection to the Firebox, the Android device sends its default transform set to the Firebox. You must configure the Firebox with transforms supported by Android for the VPN connection to establish. We recommend that you specify the default Android transform set in your Mobile VPN with IPSec settings on the Firebox.

If you specify Firebox transforms different from the default Android transform set, the Android device sends the next transform set on its list. This process repeats until the Android device finds a transform set on its list that match the Firebox settings, or until the Android device reaches a retry limit or has no additional transforms to test.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with IPSec and Traffic Monitor.

Configure the Firebox

Before you can connect with the native Android VPN client, you must configure the Mobile VPN with IPSec settings on your Firebox.

To configure the required settings on the Firebox, from Fireware Web UI:Closed
  1. Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  2. Click Add.
    The Mobile VPN with IPSec Settings page appears.

Screen shot of the Mobile VPn with IPSec Settings, General tab

  1. In the Name text box, type the name of the authentication group your Android VPN users belong to.

You can type the name of an existing group or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

  1. From the Authentication Server drop-down list, select an authentication server.

Make sure that this method of authentication is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Type and confirm the Passphrase to use for this tunnel.
  2. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
  3. Select the IPSec Tunnel tab.
    The IPSec Tunnel settings appear.

Screen shot of the mobile VPN with IPSec Settings - IPSec Tunnel tab

  1. Select Use the passphrase of the end user profile as the pre-shared key.
    This is the default setting.
  2. From the Authentication drop-down list, select SHA-2. Select SHA-1 if your Android device does not support SHA-2.
  3. From the Encryption drop-down list, select AES (256-bit). This is the default encryption setting for Android devices.
  4. In the Phase 1 Settings section, click Advanced.
    The Phase 1 Advanced Settings dialog box appears.
  1. Set the SA Life to 1 hour.

The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN, set the SA Life to 1 hour to match the client setting.

If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, Shrew Soft VPN clients rekey after 8 hours, but the Android VPN client uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2. This is the default key group for Android devices.
  2. Do not change any of the other Phase 1 advanced settings.

Screen shot of the Mobile VPn with IPSec Settings

  1. Click OK.
  2. In the Phase 2 Settings section, clear the PFS check box.

Screen shot of the Phase 2 Settings PFS check box

  1. In the Phase 2 Settings section, click Advanced.
    The Phase 2 Advanced Settings dialog box appears.

  1. From the Authentication drop-down list, select SHA-2. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. In the Force Key Expiration settings, set the expiration Time to 1 hours and clear the Traffic check box.
  4. Click OK.
  5. Select the Resources tab.
  6. Select the Allow All Traffic Through Tunnel check box.
    This configures the tunnel for default-route VPN. The Android VPN client does not support split tunneling.
  7. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
    To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

  1. Click Save.
To configure the required settings on the Firebox, from Policy Manager:Closed

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

  1. Select VPN > Mobile VPN > IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears.
  2. Click Add.
    The Add Mobile VPN with IPSec Wizard appears.
  3. Click Next.
    The Select a user authentication server page appears.

Screen shot of the Select a user authentication server wizard dialog box

  1. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to an Active Directory or RADIUS server. Make sure the authentication method you choose is enabled.

  1. In the Group Name text box, type the name of the authentication group your Android users belong to.

You can type the name of a Mobile VPN group you have already created or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Click Next.
    The Select a tunnel authentication method page appears.

Screen shot of the Select a tunnel authentication method wizard dialog box

  1. Select Use this passphrase. Type and confirm the passphrase.
  2. Click Next.
    The Direct the flow of Internet traffic page appears.

Screen shot of the Directo the flow of Internet traffic wizard dialog box

  1. Select Yes, force all Internet traffic to flow through the tunnel..
    This configures the tunnel for default-route VPN. The Android VPN client does not support split tunneling.
  2. Click Next.
    The Create the virtual IP address pool page appears.

Screen shot of the Create the virtual IP address pool wizard dialog box

  1. Click Next and Finish.
  2. For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

  1. Click Next.
  2. To add users to the new Mobile VPN with IPSec group, select the Add users check box.
  3. Click Finish.
    The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Screen shot of the Mobile VPN with IPSec Configuration dialog box

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the Android VPN client.

  1. In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
  2. Click Edit.
    The Edit Mobile VPN with IPSec dialog box appears.
  3. Select the IPSec Tunnel tab.

Screen shot of the Edit Mobile VPN with IPSec dialog box, IPsec Tunnel tab

  1. From the Authentication drop-down list, select SHA2-256. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. Click Advanced.
    The Phase 1 Advanced Settings dialog box appears.

Screen shot of the Phase1 Advanced Settings dialog box

  1. Set the SA Life to 1 hour.

The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN , set the SA Life to 1 hour to match the client setting.

If you want to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, Shrew Soft VPN clients rekey after 8 hours, but the Android VPN client uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2.
  2. Do not change any of the other Phase 1 Advanced Settings.
  3. Click OK.
  4. In the Edit Mobile VPN with IPSec dialog box, click Proposal.

Screen shot of the Phase2 Proposal dialog box

  1. From the Authentication drop-down list, select SHA2-256. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. In the Force Key Expiration settings, set the expiration Time to 1 hour, and clear the Traffic check box.
  4. Click OK.
  5. In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
    Perfect Forward Secrecy is not supported by the Android VPN client.

Screen shot of the IPSec Tunnel tab with PFS check box cleared

  1. Save the configuration file to your Firebox.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

  • For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
  • If you use a third-party authentication server, use the instructions provided in your vendor documentation.

Configure the Native Android VPN Client

After you configure the Firebox, users in the authentication group you specified in the Mobile VPN with IPSec profile on the Firebox can use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the Firebox.

To manually configure the native VPN client on the Android device:

  1. On the Settings page, in the Wireless &  Networks section, select More > VPN.

  1. Click Add VPN Network.
    The Edit VPN network page appears.

  1. Configure these settings:
    • Name — A name to identify this VPN connection on the Android device
    • Type — Select IPSec Xauth PSK
    • Server address — The external IP address of the Firebox
    • IPSec Identifier — The group name you specified in the Firebox Mobile VPN with IPSec configuration
    • IPSec pre-shared key — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
  1. Save the connection.
  2. Open the connection and type the Username and Password for a user in the specified authentication group.

Screen shot of the Android VPN client Connect page

  1. Click Connect.

To verify your connection was successful and that the VPN tunnel is active, browse to a website that shows your IP address such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the Firebox.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.