Configure Android Devices for Mobile VPN with IKEv2

To configure a VPN connection between your Android device and a Firebox, we recommend the free strongSwan app. Not all Android versions or devices natively support IKEv2 VPNs.

To add the VPN connection, you can:

Fireboxes with Fireware v12.1 or higher support Mobile VPN with IKEv2.

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

About Settings

Multi-Factor Authentication (MFA)

If you configure AuthPoint to provide multi-factor authentication for Mobile VPN with IKEv2 users:

  • Android users who connect through the strongSwan VPN client receive AuthPoint MFA push notifications only if you configure strongSwan for split tunneling.
  • When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts.

For more information about WatchGuard mobile VPNs and multi-factor authentication, see Use Multi-Factor Authentication (MFA) with Mobile VPNs.

Automatically Configure VPN Settings

To configure a VPN connection with the StrongSwan profile provided by WatchGuard, you must download a .TGZ file from your Firebox and extract the contents. This compressed file contains a README.txt instruction file and an .SSWAN profile. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The profile provided by WatchGuard creates a new IKEv2 VPN profile in the strongSwan app on your Android device. It also installs the required CA certificate for the VPN connection.

To automatically add a new IKEv2 VPN connection with the .sswan profile:

  1. Send the .SSWAN profile to your Android device.
  2. On your Android device, save the .sswan profile.
  3. Download and install the strongSwan VPN client from the Google Play store.
  4. Open the strongSwan VPN client.
  5. Next to Add VPN Profile, tap the three vertical dots.
  6. Tap Import VPN profile.
  7. Tap Files.
  8. Tap the .SSWAN profile that you saved to your device.
  9. Specify your username.
  10. (Optional) To save your password for later use, specify it now.
  11. Tap Import.
  12. To connect to the VPN, select the new IKEv2 profile that you added.

Manually Configure VPN Settings

To manually add a new IKEv2 VPN connection:

  1. Email the rootca.pem file to your Android device.
  2. In the email message, tap the attached rootca.pem file.
  3. Select Import Certificate.
  4. Download and install the strongSwan VPN client from the Google Play store.
  5. Open the strongSwan VPN client.
  6. Select Add VPN Profile.
  7. Specify this information:
  • Server: [Hostname or IP address of the Firebox]
  • VPN Type: Firebox IKEv2 EAP (Username/Password)
  • Username: [Your Firebox username]
  • Password: (Optional) To save your password for later use, specify it now.
  • CA Certificate: Select automatically
  • Profile Name: [Descriptive name such as MyCompany IKEv2 VPN]
  1. Click Save.
  2. To connect to the VPN, select the new IKEv2 profile that you added.

If the strongSwan client must resolve local FQDNs through the VPN, we recommend that you edit the strongSwan profile to add DNS servers.

To manually add DNS servers to the strongSwan profile:

  1. Press and hold the .SSWAN profile that you imported to your Android device.
  2. Tap Edit.
  3. Select the Show Advanced Settings check box.
  4. In the DNS servers text box, type the IP address of the local DNS server behind the Firebox.
  5. Tap Save.

For address resolution without a domain suffix, you must specify FQDNs and not host names.

Related Topics

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2