I will guide you in this article through the process of setup of the L2TP/IPSec client in Android 4.0.4 and later versions. The client side setup does not depend on the type of VPN server.
Thanks to the Mikrotik RouterOS, setup for this kind of tunnel is very simple today. Moreover, this tutorial is the client-side part of our IPSec series. We will explain the server side after this mini-series related to client-side configuration.
Today, L2TP/IPSec client is supported out-of-the-box in Android 4.0.4 and later versions. Depending on a vendor of device and OS version, there may be a differences in the implemented versions. It is possible that the instructions listed here are appropriate for the earlier version 2.3.
You can find the following tutorials related to the L2TP/IPSec VPN clients on my blog:
Some screenshot in this article are cut to highlight the important part of the screen.
1) We have to open the icon System Settings. Position may vary between different versions of Android OS and phone models.
2) A new window opens. We will choose the option Wireless & Network. You can now turn on wireless connection, but it is not crucial at this moment.
Find the option More… and choose it. We will open the additional network options.
3) We will choose the option for VPNs. It’s usually named VPN. We will open it.
Most Android devices will ask you here to set first the device protection. That can be PIN, pattern or some other method of user authentication.
4) In the next step, we will choose the option Add VPN Configuration… In case that we have other connections, they will be listed here.
5) The new window will open. We need to fill the descriptive name of our connection. You should name this connection in a user-friendly way, like Contoso VPN.
The VPN type should be L2TP/IPSec PSK. There are other methods. This type uses Pre-Shared Key or PSK as simplest method and it’s widely used in the world.
Server address can be either an IP address or DNS name (as demonstrated in the screenshot). In case you want to use the DNS (a.k.a. FQDN) name, you must register it in your DNS zone. This option allows you to register multiple IP addresses under the same DNS name and to use so-called round-robin access.
That means that we can have two or more independent Internet links and to allow users to establish the VPN over a random link. In the event that one of the links is unavailable due any problem with the ISP, your VPN concentrator is still up and running.
The last option is IPSec pre-shared key. It is related to the IPSec part of the tunnel. We can use either the pre-shared key or certificate. In our case, and in most situations, we will choose the pre-shared key. In which case, the system administrator must provide us with the key. Type the IPSec pre-shared key here.
6) Choose the option Save. This window will close and the new connection will appear in the list.
7) Now is the moment for to turn on wireless connection. You can alternatively use the connection over 3G (GSM) network. However, connection over GSM network may increase your mobile carrier costs. In the roaming, that can be very expensive.
8) Choose the new connection from the list. Touch it and turn it on. As we didn’t entered the username and password so far, the new window will appear prompting for our VPN credentials.
However, for security reasons it’s strongly advised that your password for the VPN connection is not saved. Yes, you will need to type it every time. But hey, this is a small price for greater security.
9) When you enter the password, touch the button Connect and the phone will begin the process of connecting.
10) After a short while (depending on the quality of your Wi-Fi link) we should be connected to the remote network
You should see small key in the notification area. In addition, the status of the connection should be Connected.
11) We can touch the active VPN connection. We will see the parameters in the new window.
We can also disconnect the VPN connection here. This window is not so informative as those in Windows.
Now when you see how easy it is to setup this connection, you should consider replacing those old PPTP VPNs and replacing it with a modern and stronger L2TP/IPSec VPN tunnel.
The most vulnerable part here can be the IPSec pre-shared key, as all users on your system must share the same key. The key should be very complex. However, if you need to share it with other people and give it to them in clear text, then sooner or later the secret key will be leaked. If you’re administering the VPN system, you should configure all of this for your users or customers.
You can consider the idea of additional protection through the certificates, but this is another story to tell. Stay tuned.