F17: How to set up VPN for Android?

Rick Stevens ricks at alldigital.com
Mon Mar 25 22:04:47 UTC 2013

On 03/25/2013 11:47 AM, Bill Davidsen issued this missive:
> sean darcy wrote:
>> On F17 trying to configure Host2Host VPN to use with my galaxy nexus.
>> The Fedora wizard on requires a "remote address". I've tried,
>> which got
>> an error of:
>> racoon: INFO: unsupported PF_KEY message REGISTER
>> I've also tried the internet facing interface.
>> When I tried to connect I get:
>> ERROR: exchange Identity Protection not allowed in any applicable rmconf.
>> What I obviously don't have is the whatever remote address the phone
>> will be
>> assigned.
>> ConnectionType=Host2Host
>> EncryptionMode=auto
>> IKEKey=<inserted in android client>
>> IPsecld=gnexus
>> OnBoot=True
>> RemoteIPAddress= ?????
>> Can I set up the Fedora VPN for a "road warrior"?
>> sean
> There is no "the Fedora VPN" for starters, both openswan and openvpn are
> available. I don't know what the setup menu in Network Manager uses,
> probably openswan, but I'm guessing.
> For what it's worth, I've had good results with openvpn, setup is to
> some extent manual, but it works, and doesn't seem to ask questions you
> can't answer. And you can set it up for road warrior operation from a
> linux machine, have not looked at what the VPN setup on Android phones
> does, so if that's your goal I have no info to share.

We use a Cisco VPN, so I just use my 'Droid as a mobile hotspot (or a
tethered modem), then use vpnc to open a VPN off our VPN gateway and it
works fine. I prefer the tethered mechanism for security reasons.

Note that it also works using my Verizon 4G hotspot doo-dad in wifi
mode. I haven't tried it in bluetooth or tethered mode yet because
every time I dig it out, it's because others in my group need access
as well so I have to share--usually preceeded with my grumbling "Get
your own, dammit! This is expensive!" :-)

Here's my expurgated /etc/vpnc/default.conf file:

	# VPN Setup...
	# Don't timeout...keep going
	DPD idle timeout (our side) 0
	# Force Cisco UDP NAT mode (for idiot routers that use MTUs
	# <1500 bytes...may not be necessary at all times)...
	#NAT Traversal Mode cisco-udp
	IPSec gateway <MY-VPN-GATEWAY>

I normally connect to the wifi hotspot off the 'Droid or 4G access
point, then run "vpnc" and off we go.

- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-   Never test for an error condition you don't know how to handle.  -

More information about the users mailing list