As of 2016/2017 have moved to strongswan as it supports ikev2 for the IPv6 in IP tunnel.
Firstly, need some certificates.
Because android is to be considered proprietary it can be considered reasonable to use tricks for interoperability with the builtin vpn client.
For the strongswan app, after importing the .p12 file, newer releases of Android may generate constant your connection may be monitored errors, while there is anything in the user certificate store, making it functionally useless. 😕
To deal with this, import the gateway certificates directly into strongswan, and clear them from the "user" certificate store in Android.
The inbuilt VPN client doesn't have a dedicated certificate library, so it is further necessary, to use the same certificate for both ends of connection to vpn server "gate".
This does mean the phone "knows" the server private key, though as it is expected to be possible to use independent server keys for each tunnel, a compromised phone is expected to not facilitate interception of another tunnel.
All the examples can go in the file together, so method can be switched in the event a phone update breaks a method.
First, example for is l2tp, requires an l2tpd setup as well
Example for xauth
Example for hybrid
Example for strongswan app with ikev2, in this case done normally with the certificates. The strongswan app supports tunnelling ipv6 and ipv4 together in ipv4 at the small expense of a security warning.
Contains at least an instructions to use files found in
/etc/ipsec.d/private/ regardless of the key is a power moduli (RSA) or elliptic curve type.
And add some preshared keys as hybrid or xauth modes requires it, though certs are preferred as the main protection
Configured strongswan to allocate inner ipv4 address from a server, especially if using public ip as we do not have very many of those!
Add a file /etc/strongswan.d/charon/example.conf named after oneself
It needs the interface directed at, or on which the dhcp server is serving addresses, and the ipv4 subnet, broadcast address, though 255.255.255.255 and multicast addresses found to not work
Also needed is an iptables rules, to calc udp checksum where isc dhcpd and strongswan are on the same pc, which dhcpd ignores when it sees 0xBADD