strongSwan VPN Client APK

The official Android version of the widely-used strongSwan VPN solution.

# FEATURES AND LIMITATIONS #

* Utilizes the VpnService API available on Android 4 and above. Some device manufacturers may not support this, which means the strongSwan VPN Client may not function on those devices!

* Implements the IKEv2 key exchange protocol (note that IKEv1 is *not* available)

* Employs IPsec for data transmission (L2TP is *not* available)

* Fully supports dynamic connectivity and mobility through MOBIKE (or reauthentication)

* Offers username/password EAP authentication options (including EAP-MSCHAPv2, EAP-MD5, and EAP-GTC), as well as RSA/ECDSA private key/certificate authentication. EAP-TLS with client certificates is also included

* Allows combined RSA/ECDSA and EAP authentication through two authentication rounds as specified in RFC 4739

* VPN server certificates are validated against CA certificates that are either pre-installed or added by the user. Users can also import CA or server certificates directly into the app for server authentication

* Supports IKEv2 fragmentation if the VPN server is compatible (strongSwan has supported this since version 5.2.1)

* Split-tunneling enables the routing of only specific traffic through the VPN while excluding other traffic

* Per-app VPN functionality restricts the VPN connection to designated apps or allows certain apps to bypass it

* The IPsec implementation currently supports AES-CBC, AES-GCM, ChaCha20/Poly1305, and SHA1/SHA2 encryption algorithms

* Passwords are stored in cleartext within the database (only when saved with a profile)

* VPN profiles can be imported from files

* Supports managed configurations through enterprise mobility management (EMM)

You can find the details and changelog in our documentation: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html

# PERMISSIONS #

* READ_EXTERNAL_STORAGE: This permission enables the import of VPN profiles and CA certificates from external storage on certain Android versions.

* QUERY_ALL_PACKAGES: Necessary for Android 11 and above to choose apps to include or exclude in VPN profiles, as well as for the optional EAP-TNC use case.

# EXAMPLE SERVER CONFIGURATION #

For example server configurations, please refer to our documentation: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html#_server_configuration

Keep in mind that the hostname (or IP address) specified in the VPN profile within the app *must* be included in the server certificate as a subjectAltName extension.

# FEEDBACK #

We welcome bug reports and feature requests on GitHub: https://github.com/strongswan/strongswan/issues/new/choose. When submitting, please provide details about your device, including the manufacturer, model, and OS version.

You can also send the log file generated by the key exchange service directly from the application.

FAQ

Q: What key exchange protocol does the strongSwan Android VPN Client support?

A: The strongSwan Android VPN Client supports the IKEv2 key exchange protocol. Note that IKEv1 is not available.

Q: What data transmission protocol does the strongSwan Android VPN Client use?

A: The strongSwan Android VPN Client uses IPsec for data transmission. L2TP is not supported.

Q: Does the strongSwan Android VPN Client support dynamic connectivity and mobility?

A: Yes, the strongSwan Android VPN Client fully supports dynamic connectivity and mobility through MOBIKE (or reauthentication).

Version History

v2.5.4——17 Mar 2025

An easy to use IKEv2/IPsec-based VPN client. Download the latest version of strongSwan VPN Client 2.5.4 to enjoy new features and updates immediately!

# 2.5.4 #

- Fix issues when reestablishing the connection

# 2.5.3 #

- Add support for distributing passwords in managed profiles

- Add support for importing profile files with passwords

- Fix crash when editing password of managed profiles

- Fix crash when re-importing an already existing profile