Notes about Android and IPsec on Linux
Here's some personal notes about the excellent Jeff Sharkey's article Deploying a pure-IPsec PKI VPN server for Android devices
My setup is a little bit different to that of Jeff, I have a 1Gbps fiber plan, a Linux server natted behind my ISP's router and my IPsec VPN server is running on a Linux container (LXC), so this container doesn't have a public IP address. The OS used in all the servers is Ubuntu Trusty 14.04. On the VPN client side I'm using Android 6.0 Mashmallow.
Server configuration
In addition to installing the packages
$ sudo apt-get install ipsec-tools racoon
I also installed the following packages
$ sudo apt-get install iptables openssl tcpdump
When installing the Debian racoon
package, you have to chose the type of configuration, in my case I chose the direct
mode.
I had to add 2 new port forwarding rules on my ISP's router to sent the traffic UDP on the ports 500 and 4500 to my Linux server, and on it I had to the same thing using iptables
$ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport 4500 -j DNAT --to-destination 10.0.3.91:4500 $ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport 500 -j DNAT --to-destination 10.0.3.91:500
Here the IP address 10.0.3.91
is assigned to the container running the IPsec VPN server.
In the /etc/racoon/racoon.conf
file I had to change the public IP address used by Jeff by the container's private IP address:
listen { isakmp 10.0.3.91[500]; isakmp_natt 10.0.3.91[4500]; }
` For more details about the configuration options you can see the racoon.conf's man page.
About the RSA keys, don't forget to convert your server's private key into RSA format using
$ openssl rsa -in myserver.key -out myserver-rsa.key
As the documentation says the output filename should not be the same as the input filename, so you also need to change it in your /etc/racoon/racoon.conf
.
Android configuration
Here some details when configuring your VPN profile on your phone:
- You don't need to install the
adb
tool to push your.p12
certificate file, you can download it from an URL, Android will detect the format and it will install it using the Android's certificate installer. - If you want to use the Always-on VPN option, you need to specify a server's public IP address (instead of its fqdn) and you also must specify an IP address for the DNS servers.
Troubleshooting
If you find some problems, you can always take a look at the /var/log/syslog
file and use tcpdump
to inspect your network traffic.
It's also highly recommended to read the Section 2 of the IPsec HOWTO to understand the theory behind IPsec and its Linux Kernel implementation.