strongSwan VPN Client

strongSwan VPN Client


Official Android 4+ port of the popular strongSwan VPN solution.

# FEATURES AND LIMITATIONS #

* Uses the VpnService API featured by Android 4+. Devices by some manufacturers seem to lack support for this - strongSwan VPN Client won't work on these devices!
* Uses the IKEv2 key exchange protocol (IKEv1 is currently not supported)
* Full support for changed connectivity and mobility through MOBIKE (or reauthentication)
* Supports username/password EAP authentication (namely EAP-MSCHAPv2, EAP-MD5 and EAP-GTC) as well as RSA/ECDSA private key/certificate authentication to authenticate users, EAP-TLS is also supported
* Combined RSA/ECDSA and EAP authentication is supported by using two authentication rounds as defined in RFC 4739
* VPN gateway certificates are verified against the CA certificates pre-installed or installed by the user on the system. The CA or server certificates used to authenticate the gateway can also be imported directly into the app.
* IKEv2 fragmentation is supported if the VPN gateway supports it (strongSwan does so since 5.2.1)
* The IPsec implementation currently supports the AES-CBC, AES-GCM and SHA1/SHA2 algorithms
* Passwords are currently stored as cleartext in the database (only if stored with a profile)

# EXAMPLE GATEWAY CONFIGURATION #

This client can be used with the following gateway configuration that is also compatible with the Windows 7 Agile VPN client:

http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

But please note that the host name configured with a VPN profile in the app *must be* contained in the gateway certificate as subjectAltName.

# FEEDBACK #

Please post bug reports and feature requests on our wiki: http://wiki.strongswan.org/projects/strongswan/issues
If you do so, please include information about your device (manufacturer, model, OS version etc.).

The log file written by the key exchange daemon can be sent directly from within the application.

Recent changes:
# 1.4.5 #

- Based on strongSwan 5.2.1, which adds e.g. improved MOBIKE handling and support for IKEv2 fragmentation
- Adds basic support for EAP-TLS
- Enables PFS for IPsec SAs

# 1.4.0 #

- Adds the ability to import CA and server certificates directly into the app
- The GUI now indicates if the connection is being reestablished
- A DNS proxy resolves the VPN server's hostname while reestablishing
- Supports ECDSA private keys on recent Android systems (verified on Android 4.4.4)
Add to list
Free
83
4.2
User ratings
485
Installs
100,000+
Concerns
0
File size
3607 kb
Screenshots
Screenshot of strongSwan VPN Client Screenshot of strongSwan VPN Client Screenshot of strongSwan VPN Client
About strongSwan VPN Client
Official Android 4+ port of the popular strongSwan VPN solution.

# FEATURES AND LIMITATIONS #

* Uses the VpnService API featured by Android 4+. Devices by some manufacturers seem to lack support for this - strongSwan VPN Client won't work on these devices!
* Uses the IKEv2 key exchange protocol (IKEv1 is currently not supported)
* Full support for changed connectivity and mobility through MOBIKE (or reauthentication)
* Supports username/password EAP authentication (namely EAP-MSCHAPv2, EAP-MD5 and EAP-GTC) as well as RSA/ECDSA private key/certificate authentication to authenticate users, EAP-TLS is also supported
* Combined RSA/ECDSA and EAP authentication is supported by using two authentication rounds as defined in RFC 4739
* VPN gateway certificates are verified against the CA certificates pre-installed or installed by the user on the system. The CA or server certificates used to authenticate the gateway can also be imported directly into the app.
* IKEv2 fragmentation is supported if the VPN gateway supports it (strongSwan does so since 5.2.1)
* The IPsec implementation currently supports the AES-CBC, AES-GCM and SHA1/SHA2 algorithms
* Passwords are currently stored as cleartext in the database (only if stored with a profile)

# EXAMPLE GATEWAY CONFIGURATION #

This client can be used with the following gateway configuration that is also compatible with the Windows 7 Agile VPN client:

http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

But please note that the host name configured with a VPN profile in the app *must be* contained in the gateway certificate as subjectAltName.

# FEEDBACK #

Please post bug reports and feature requests on our wiki: http://wiki.strongswan.org/projects/strongswan/issues
If you do so, please include information about your device (manufacturer, model, OS version etc.).

The log file written by the key exchange daemon can be sent directly from within the application.

Recent changes:
# 1.4.5 #

- Based on strongSwan 5.2.1, which adds e.g. improved MOBIKE handling and support for IKEv2 fragmentation
- Adds basic support for EAP-TLS
- Enables PFS for IPsec SAs

# 1.4.0 #

- Adds the ability to import CA and server certificates directly into the app
- The GUI now indicates if the connection is being reestablished
- A DNS proxy resolves the VPN server's hostname while reestablishing
- Supports ECDSA private keys on recent Android systems (verified on Android 4.4.4)

User reviews of strongSwan VPN Client
Write the first review for this app!
Android Market Comments
A Google User
Nov 19, 2014
IPv6 and IPv4 work great Both IPv6 and IPv4 inside the VPN work as of Android 5.0. IPv6 doesn't work properly in Android 4.4.4. App is easy to configure, and log output is useful.
A Google User
Nov 6, 2014
Hate giving a well intentioned free app 2 stars but... This won't authenticate against a CN whose name doesn't exactly match its certificate, but it can't be configured. Worse imported certificates cannot be removed, ever, even by uninstalling. The courtesy of a dev reply gets a second star, and I really want this to work! But even with a subject alternate name, it won't authenticate. Also, long click to remove doesn't work. Android 4.4.4. Sorry!
A Google User
Nov 3, 2014
Hate giving a well intentioned free app 1 star, but... This thing is awful. It won't authenticate against a CN whose name doesn't exactly match its certificate, but it can't be configured. Worse imported certificates cannot be removed, ever, even by uninstalling. Sorry to say this app is worth less than its free price.
A Google User
Nov 2, 2014
DNS doesnt work after the VPN was established, the DNS was not working even though they were correctly configured.
A Google User
Sep 15, 2014
Advanced crypto made simple Use, e.g., a Raspberry Pi as cheap home VPN GW.