Configure Android Devices for Mobile VPN with IKEv2

To configure a VPN connection between your Android device and a Firebox, we recommend the free strongSwan app. Not all Android versions or devices natively support IKEv2 VPNs.

To add the VPN connection, you can:

Fireboxes with Fireware v12.1 or higher support Mobile VPN with IKEv2.

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

About Settings

Multi-Factor Authentication (MFA)

If you configure AuthPoint to provide multi-factor authentication for Mobile VPN with IKEv2 users:

  • Android users who connect through the strongSwan VPN client receive AuthPoint MFA push notifications only if you configure strongSwan for split tunneling.
  • When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts.

For more information about WatchGuard mobile VPNs and multi-factor authentication, go to Use Multi-Factor Authentication (MFA) with Mobile VPNs.

Automatically Configure VPN Settings

To configure a VPN connection with the StrongSwan profile provided by WatchGuard, you must download a .TGZ file from your Firebox and extract the contents. This compressed file contains a README.txt instruction file and an .SSWAN profile. For information about how to download this file, go to Configure Client Devices for Mobile VPN with IKEv2.

The profile provided by WatchGuard creates a new IKEv2 VPN profile in the strongSwan app on your Android device. It also installs the required CA certificate for the VPN connection.

In Fireware v12.9 or higher, the Mobile VPN with IKEv2 configuration on the Firebox includes settings for split tunneling. If you configure split tunneling, the .SSWAN profile that you download from the Firebox and run on Android devices includes a section that adds the VPN routes. Only the strongSwan client app for mobile devices supports this option. The strongSwan client for Linux does not support this option.

After you install the client configuration files:

  • The internal resources that you added to the Allowed Network Addresses list in the Mobile VPN with IKEv2 configuration are added to the routing table on the client. These routes are added on the client only when the connection is established.
  • These routes are bound to the specified VPN connection on the client. If the user computer has multiple VPN connections configured, these routes are not bound to the other VPN connections.
  • When the connection disconnects, these routes are deleted from the routing table.

If you edit the Allowed Network Addresses list on the Firebox after you download and install the client configuration files on user computers:

  • Download updated client configuration files from the Firebox and reinstall those on user computers.
  • If you remove a host or network from the Allowed Network Addresses list, but you do not install updated client configuration files on user computers, VPN clients can initiate traffic to that host or network, but the Firebox denies the traffic.

You can also configure a full tunnel (default route) VPN. For information about split tunnel and full tunnel settings on the Firebox, go to Edit the Mobile VPN with IKEv2 Configuration.

For information about split tunnel and full tunnel settings on clients, go to Internet Access Through a Mobile VPN with IKEv2 Tunnel.

In Fireware v12.8.x or lower, you cannot configure split tunneling in the Mobile VPN with IKEv2 configuration on the Firebox. Fireware v12.8.x or lower supports connections from Mobile VPN with IKEv2 clients configured for split tunneling. However, you must manually configure IKEv2 clients for split tunneling. For example, you must manually add routes on the client computer for each remote network that you require access to. For Fireboxes with Fireware v12.8.x or lower, we do not provide customer support for split tunnel configurations on IKEv2 clients. See the documentation provided by your VPN client vendor. If you require split tunneling in Fireware v12.8.x or lower, we recommend that you use Mobile VPN with SSL. For information about Mobile VPN with SSL and split tunneling, go to Options for Internet Access Through a Mobile VPN with SSL Tunnel.

In Fireware v12.9 or higher, the WatchGuard automatic configuration script includes a domain name suffix if you specify one in the network (global) DNS settings on the Firebox. In the Mobile VPN with IKEv2 configuration on the Firebox, you must select Assign the Network DNS/WINS settings to mobile clients. Mobile VPN clients inherit the domain name suffix.

For information about how to configure the network (global) DNS settings on the Firebox, go to Configure Network DNS and WINS Servers.

For information about DNS settings in the Mobile VPN with IKEv2 configuration on the Firebox, go to Edit the Mobile VPN with IKEv2 Configuration.

In Fireware v12.8.x or lower, Mobile IKEv2 clients do not inherit a domain name suffix from the Firebox. If the strongSwan client must resolve local FQDNs through the VPN, we recommend that you edit the strongSwan profile to add DNS servers. For instructions, go to the Manually Configure VPN Settings section on this page.

To automatically add a new IKEv2 VPN connection with the .sswan profile:

  1. Send the .SSWAN profile to your Android device.
  2. On your Android device, save the .sswan profile.
  3. Download and install the strongSwan VPN client from the Google Play store.
  4. Open the strongSwan VPN client.
  5. Next to Add VPN Profile, tap the three vertical dots.
  6. Tap Import VPN profile.
  7. Tap Files.
  8. Tap the .SSWAN profile that you saved to your device.
  9. Specify your username.
  10. (Optional) To save your password for later use, specify it now.
  11. Tap Import.
  12. To connect to the VPN, select the new IKEv2 profile that you added.

Manually Configure VPN Settings

To manually add a new IKEv2 VPN connection:

  1. Email the rootca.pem file to your Android device.
  2. In the email message, tap the attached rootca.pem file.
  3. Select Import Certificate.
  4. Download and install the strongSwan VPN client from the Google Play store.
  5. Open the strongSwan VPN client.
  6. Select Add VPN Profile.
  7. Specify this information:
  • Server: [Hostname or IP address of the Firebox]
  • VPN Type: Firebox IKEv2 EAP (Username/Password)
  • Username: [Your Firebox username]
  • Password: (Optional) To save your password for later use, specify it now.
  • CA Certificate: Select automatically
  • Profile Name: [Descriptive name such as MyCompany IKEv2 VPN]
  1. Click Save.
  2. To connect to the VPN, select the new IKEv2 profile that you added.

If the strongSwan client must resolve local FQDNs through the VPN, we recommend that you edit the strongSwan profile to add DNS servers.

To manually add DNS servers to the strongSwan profile:

  1. Press and hold the .SSWAN profile that you imported to your Android device.
  2. Tap Edit.
  3. Select the Show Advanced Settings check box.
  4. In the DNS servers text box, type the IP address of the local DNS server behind the Firebox.
  5. Tap Save.

For address resolution without a domain suffix, you must specify FQDNs and not host names.

Related Topics

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2