How to issue machine certificates to Android devices trying to connect to L2TP VPN (L2TP/IPsec with Certificate)?

Question

I are trying to find a way to connect Android devices to our VPN box running Windows Sever 2008. We manage to configure a couple Android devices to connect via PPTP. However, I would like to be able to connect using L2TP/IPSec with certificates instead. I've managed to export and apply the Enterprise CA's certificate on the Android phone, but are totally lost on how to issue a machine certificate to the Android phone. Is it even possible? If so, what are steps I should take to issue the machine certificate and enable the Android phone to connect via L2TP/IPsec with certificates? Thank you for your help!

Answer 1

To my knowledge there is no android support for SCEP or NDES enrollment... we need to have a way to open enroll these devices through an application, but none exist to date. To my knowledge, android only supports the certificates to be installed from the SD card. It is odd to me that iphone supports NDES but android does not.

Answer 2

Google has this link posted about how to install certificates.On a nexus running jellybean, I used the instructions at the link below to generate the certificates and install them using adb.These instructions worked well for me to get the certs installed and test a vpn connection to a linux server running strongswan 5.0.

http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

Answer 3

Looks like the Android implementation of L2TP certificate auth may not be compatible with most L2TP/IPSec VPN's: http://www.astaro.org/astaro-gateway-products/vpn-site-site-remote-access/35861-asg-doesnt-work-android-l2tp-ipsec-certificates-remote-vpn.html

You may have to resort to PSK, ech. Let us know if you make headway!

Answer 4

Posted the same question on Microsoft Technet and received a suggestion on trying to enroll the Android device using Windows 2008's Network Device Enrollment Service. Unfortunately, I am unaware of any device administration software on Android that will allow me to create RSA public/private key pair and submit them for enrollment request to my CA. Any suggestions, or is this a dead end? I am testing this is HTC EVO 4G, Android 2.2.

Answer 5

I've managed to get certificates onto an Android running FroYo by emailing the cert to an address the phone can access. Opening the attached certificate from the mail client resulted in installation.

Unfortunately, Android FroYo doesn't properly support Cisco VPN, so I didn't get a sucessful test however - but the certs certainly appeared to be there.