Configure Android Devices for Mobile VPN with IKEv2

To configure a VPN connection between your Android device and a Firebox, we recommend the free strongSwan app. Not all Android versions or devices natively support IKEv2 VPNs.

To add the VPN connection on your device, you can use the StrongSwan profile provided by WatchGuard or manually configure settings on the device. This topic explains both methods.

Mobile VPN with IKEv2 is supported on Fireboxes with Fireware v12.1 and higher.

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Multi-Factor Authentication (MFA)

If you configure AuthPoint to provide multi-factor authentication for Mobile VPN with IKEv2 users:

  • Android users who connect through the strongSwan VPN client receive AuthPoint MFA push notifications only if you configure strongSwan for split tunneling.
  • When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts.

To configure split tunneling in strongSwan, see the documentation provided by strongSwan. For more information about WatchGuard mobile VPNs and multi-factor authentication, see Use Multi-Factor Authentication (MFA) with Mobile VPNs.

Automatically Configure VPN Settings

To configure a VPN connection with the StrongSwan profile provided by WatchGuard, you must download a compressed .TGZ file from your Firebox. This file contains instructions, profiles, and scripts for various operating systems. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The profile provided by WatchGuard creates a new IKEv2 VPN profile in the strongSwan app on your Android device. It also installs the required CA certificate for the VPN connection.

Manually Configure VPN Settings

To manually add a new IKEv2 VPN connection:

  1. Email the rootca.pem file to your Android device.
  2. In the email message, tap the attached rootca.pem file.
  3. Select Import Certificate.
  4. Download and install the strongSwan VPN client from the Google Play store.
  5. Open the strongSwan VPN client.
  6. Select Add VPN Profile.
  7. Specify this information:
  • Server: [Hostname or IP address of the Firebox]
  • VPN Type: Firebox IKEv2 EAP (Username/Password)
  • Username: [Your Firebox username]
  • Password: (Optional) To save your password for later use, specify it now.
  • CA Certificate: Select automatically
  • Profile Name: [Descriptive name such as MyCompany IKEv2 VPN]
  1. Click Save.
  2. To connect to the VPN, select the new IKEv2 profile that you added.

Configure strongSwan DNS

The strongSwan client does not inherit a domain suffix or DNS servers from the Firebox. If the strongSwan client must resolve local FQDNs through the VPN, we recommend that you edit the strongSwan profile to add DNS servers.

To manually add DNS servers to the strongSwan profile:

  1. Press and hold the .sswan profile that you imported to your Android device.
  2. Tap Edit.
  3. Select the Show Advanced Settings check box.
  4. In the DNS servers text box, type the IP address of the local DNS server behind the Firebox.
  5. Tap Save.

For address resolution without a domain suffix, you must specify FQDNs and not host names.

See Also

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2