Notes about Android and IPsec on Linux

Here's some personal notes about the excellent Jeff Sharkey's article Deploying a pure-IPsec PKI VPN server for Android devices

My setup is a little bit different to that of Jeff, I have a 1Gbps fiber plan, a Linux server natted behind my ISP's router and my IPsec VPN server is running on a Linux container (LXC), so this container doesn't have a public IP address. The OS used in all the servers is Ubuntu Trusty 14.04. On the VPN client side I'm using Android 6.0 Mashmallow.

Server configuration

In addition to installing the packages

$ sudo apt-get install ipsec-tools racoon

I also installed the following packages

$ sudo apt-get install iptables openssl tcpdump

When installing the Debian racoon package, you have to chose the type of configuration, in my case I chose the direct mode.

I had to add 2 new port forwarding rules on my ISP's router to sent the traffic UDP on the ports 500 and 4500 to my Linux server, and on it I had to the same thing using iptables

$ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport 4500 -j DNAT --to-destination 10.0.3.91:4500
$ sudo iptables -t nat -I PREROUTING -p udp -m udp --dport  500 -j DNAT --to-destination 10.0.3.91:500

Here the IP address 10.0.3.91 is assigned to the container running the IPsec VPN server.

In the /etc/racoon/racoon.conf file I had to change the public IP address used by Jeff by the container's private IP address:

listen {
    isakmp 10.0.3.91[500];
    isakmp_natt 10.0.3.91[4500];
}

` For more details about the configuration options you can see the racoon.conf's man page.

About the RSA keys, don't forget to convert your server's private key into RSA format using

$ openssl rsa -in myserver.key -out myserver-rsa.key

As the documentation says the output filename should not be the same as the input filename, so you also need to change it in your /etc/racoon/racoon.conf.

Android configuration

Here some details when configuring your VPN profile on your phone:

  • You don't need to install the adb tool to push your .p12 certificate file, you can download it from an URL, Android will detect the format and it will install it using the Android's certificate installer.
  • If you want to use the Always-on VPN option, you need to specify a server's public IP address (instead of its fqdn) and you also must specify an IP address for the DNS servers.

Troubleshooting

If you find some problems, you can always take a look at the /var/log/syslog file and use tcpdump to inspect your network traffic.

It's also highly recommended to read the Section 2 of the IPsec HOWTO to understand the theory behind IPsec and its Linux Kernel implementation.