Could you please give some guidance where to dig?
What I have:
I have a device (HTC One X) with ICS (Android 4.x) on board.
My Company has a corporate VPN server based on Microsoft VPN Services (RRAS and so on).
Microsoft VPN Server has a policy applied to it which tells it to accept only connections with MSCHAPV2 authentication.
What I need:
I need to make VPN connection from my device to my corporate VPN Server.
Questions:
Is it possible to get my need with ICS's onboard VPN client?
Is there any 3rd party VPN client which does it?
How to ask Google about my need?
Android supports MS-CHAP V2, but that is part of phase 2 authentication and is configured automatically during handshake. The question that needs to be answered first is what VPN protocol is being used?
PPTP? Check if you need to enable encryption (MPPE)
L2TP/IPSec? It's possible all of them are supported; you may also have to check whether it's PSK or RSA.
If it's RSA, you need to install the certificate for connecting.
SSTP? SSTP is only available on Windows.
You should also be aware that MSCHAPV2 on PPTP is considered broken (cryptographically unsafe). And SSTP is not supported on Android. I'm assuming SSTP is an option and OpenVPN isn't because the company is using MS VPN.
To answer your questions:
1. If the server enabled PPTP or (L2TP/)IPSec, Android 2.x+ should be able to connect, as long as the vendor didn't strip out the built-in VPN in stock Android.
2. Any 3rd party VPN client should support these two widely used protocols.
3. Google's android repository on Google Code should be consulted if there are issues with the VPN client: https://code.google.com/p/android/issues/advsearch
I don't have much idea about VPN in Android, but there are a couple of solutions you can try:
Install StrongSwan VPN client - https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en_GB - but dunno if it would work or if it requires a server software. Best guess is to try it.
Install a custom ROM (CyanogenMod/AOKP/Pacman/Paranoid/etc) and then try. Usually, custom ROMs include such functionality that isn't present in the (crappy) stock ROMs.
Good luck :P
Related
I'm trying to implement Android device administration on a range of company-owned devices. The network these devices will be on does not have an internet connection - It will only have Wi-Fi connection to the enterprise network.
I have the device working with a policy controller, all hard-coded into the app loaded via Android Studio.
My next step is creating an Enterprise Mobility Management (EMM) console, but the documentation seems to explain that it's cloud-based and require Google accounts. Is there a way to implement this functionality on an offline secure network without Google accounts?
Yes, there is a way to implement device management functionality on an offline network.
Headwind MDM, the project I am working on, is a self hosted mobile device management solution which can manage Android devices without Internet connection (using Wi-Fi or private APN in mobile networks). Also, it is open source so you can adjust the code for your needs.
The only exception is that you may need Internet connection during the initial setup of your Android devices, because some models require access to Google Play Protect when installing the device owner application.
I need to connect a Vpn programmatically in my app, but can't seem to find a way. I see VpnService, StrongSwan, OpenVpn but this seems not IPSec. How do I go about connecting to my already build IPSec and L2TP servers that have a username, password and pre shared key.
You can not do it in the latest versions of Android. It could be done via SystemProperties.java class which has API available for these connections, but these API are now hidden in the latest Android versions due to Security risks.
However if the phone is rooted then you can use it via hacks like reflection etc to access those System properties and get everything going.
I have created a VPN Profile on my Android device. Now, I would like to create an Android application to manage (restrict and allow) which applications can access this VPN Profile.
So far, I've looked at Android's VPN Service which allows us to manage which applications can access the VPN Service but I am unable to correlate how this solution fits in with an already created VPN Profile.
There is no relation betweeen the VpnService API and VPN connections you create in Android's built-in VPN client. When using the VpnService API you'll have to implement a VPN protocol yourself and tunnel data read from the TUN device, which is created via the API, and back again (or use a library that implements a VPN protocol that does this for you), only then can you restrict apps from using the VPN using VpnService.Builder's addDisallowedApplication() method.
You can also look for VPN apps in the app store that already use this API and support excluding (or including) apps that may use the VPN.
you can find many free vpn or proxy servers. I use nord vpn and his efficiency I check on whats my ip service. You can also use it. Its free. VPN is important where you need to get access to blocked sites or social media like twitter or Facebook. During my trip to China I used vpn and whats my ip service.
I'm trying to install a Charles Certificate on an Android emulator and I noticed that there are two Credential use options: "VPN and apps" and "Wi-Fi".
I've tried looking around for explanations regarding to the two options, but the one I've found simply say "pick one that fits your use case."
What is the difference between the two options? Which one should a developer pick?
The WiFi option is for authentication WiFi networks, while VPN and apps is for authenticating certificates for SSL/TLS communication for apps including the browser.
I can also confirm that VPN and apps is the right choice for proxying HTTPS requests for an Android device in Charles.
You can use digital certificates to identify your device for a variety of purposes, including VPN or Wi-Fi network access as well as authentication to servers by apps such as Email or Chrome. If you plan to use certificates for Wi-Fi authentication, be sure to select the Wi-Fi option from the menu described below.
Source: https://support.google.com/nexus/answer/2844832?hl=en
I feel like it must be possible to connect to the IBM VPN with Android using an L2TP/IPSec CRT VPN, but am not totally sure. IBMers use the AT&T Global Network Connect Client that has integrated VPN management. While this client is proprietary, I think the proprietary parts are the way it attempts internet connections, not really the VPN part.
Here are the VPN details reported by the Global Network Client:
Service: Managed VPN - IPSec DualAccess (default)
VPN Server IP address: XXX.XXX.XXX.XXX
VPN Server type: AGN SIG
VPN Key Exchange Security: Diffie-Hellman Group 2
VPN Data Security: ESP,3DES,SHA1
VPN Data Compression: LZS
I can see during VPN connection where the client is verifying a certificate. My guess is if I could find this certificate on the laptop, upload it to my SD card, and register the certificate on the Android, I could set up the connection successfully with a L2TP/IPSec CRT VPN.
Any idea where the client certificate could be found on the laptop?
Any takers?
AFAIK, on most Android smartphones, you can't do it as a user, because there aren't access to the settings that you need.
This has been discussed at length at http://code.google.com/p/android/issues/detail?id=3902
Because it needs a change in the ROM, the only way around it for you is if you're willing to root your phone.
The only exception to this that I'm currently aware of is the Motorola Droid Pro, which has the necessary ROM modifications baked-in. There are a ton of articles around about it as Motorola made a bit of noise about it being the only Android to include support for Cisco IPSec - e.g. http://www.pcworld.com/businesscenter/article/207556/new_droid_pro_security_features_lead_the_way.html