NCP Secure VPN Enterprise Client for Android
Universal Centrally Administered VPN Client for Android 4.x

Features:

Secure

Rely on high-quality IT security software made in Germany

• IPv6 supported dynamic personal firewall
• data encryption
• strong authentication
• multi-certificate support
• parameter locks
• FIPS Inside
• automatic adaption of firewall rules

Efficient

Mindful of one of the biggest challenges organizations face – cost savings

• Budget Manager for full cost control
• support for 3G/4G hardware (LTE)
• Custom Branding Option
• Central Management

Ease of use

Reduced IT complexity

• a single and easy-to-use user interface (one click) for the connection setup
• integrated support for 3G/4G hardware
• a reliable, uninterrupted VPN connection
• automatic, location-aware adaption of firewall rules through the NCP VPN Client
• automatic media recognition
• seamless Roaming
• easy domain registration

Mobile

The best mobile device user experience

• Working without dropped connections or interruptions even when switching between networks, i.e. seamless roaming
• auto-connect to your corporate network
• reliable and uninterrupted VPN connections
• quick and secure hotspot logon
• Remote Access even behind firewalls, whose port settings typically deny IPsec based communication, i.e. NCP Path Finder® Technology

Technical Data:

Secure VPN Enterprise Client for Android: Technical Data
Operating System	Android 4.0 and above
Central Management	Distribution of VPN configurations and certificates from the NCP Secure Enterprise Management
Standards	Support of all Internet Society IPsec Standards
Virtual Private Networking	IPsec (Layer 3 Tunneling), RFC conformant; IPsec proposals can be determined by the IPsec Gateway (IKE, IPsec Phase 2); Event log; Communication only in tunnel; MTU Size Fragmentation und Reassembly; DPD; NAT-Traversal (NAT-T); IPsec Tunnel Mode
Encryption	Symmetric processes: AES 128,192,256 bits; Blowfish 128,448 bits; Triple DES 112,168 bits; Dynamic processes for key exchange: RSA to 2048 bits; Seamless Rekeying (PFS); Hash Algorithms: SHA-256, SHA-384, SHA-512, MD5, DH Groups 1, 2, 5, 14-18
FIPS Inside	The NCP Secure Android Client uses an embedded FIPS 140-2-validated cryptographic module (Certificate #1747) running on an Android platform per FIPS 140-2 Implementation Guidance section G.5 guidelines. FIPS conformance will always be maintained when any of the following algorithms are used for establishment and encryption of the IPsec connection: Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 bits) Hash Algorithms: SHA1, SHA 256, SHA 384 or SHA 512 bits Encryption Algorithms: AES with 128, 192 or 256 bits or Triple DES
Authentication Processes	IKEv1 (Aggressive und Main Mode), Quick Mode; XAUTH for extended user authentication; IKE Config Mode for the dynamic assignment of a virtual address from an internal pool (private IP) ; PFS IKEv2 Pre-Shared Secrets
Strong Authentication	PKCS#12 Interface for using User (Soft) Certificates Multi Certificate configuration One-Time Passwords and Challenge Response System; RSA SecurID Ready
Network Protocol	IP
Auto Reconnect	A connection is automatically established if the Internet connection has been interrupted or the communication medium has changed from WiFi to mobile data transmission. Configurable connection mode (always, manual)
VPN Path Finder	NCP VPN Path Finder Technology, Fallback IPsec /HTTPS (Port 443) when port 500 or UDP encapsulation can not be used (prerequisite: NCP VPN Path Finder Technology required at the VPN Gateway
IP Address Assignment	DHCP (Dynamic Host Control Protocol); DNS: central VPN gateway selection using public IP address allocated by querying a DNS server
Line Management	DPD (Dead Peer Detection) with configurable polling interval; Short Hold Mode; WLANRoaming (Handover); Timeout
Data Compression	IPCOMP (lzs), Deflate
Other Features	UDP encapsulation Import function supporting file formats:*.ini, *.pcf, *.wgx und *.spd
Internet Society RFCs and drafts	RFC 2401 –2409 (IPsec), RFC 3947 (NAT-T negotiations), RFC 3948 (UDP encapsulation), IP Security Architecture, ESP, ISAKMP/Oakley, IKE, XAUTH, IKECFG, DPD, NAT Traversal (NATT), UDP encapsulation, IPCOMP
Client Monitor Intuitive GUI	English; Connection control and management, connection statistics, log files; trace tool for error diagnosis; traffic light icon indicates connection status

Comparison:

Technical Features	VPN Client	Premium	Enterprise
Operating System
Operating System
Central Management	–	–
Security Features
Security Features
Virtual Private Networking
Encryption
FIPS Inside	–
Authentication Process
PKCS#12 Interface for private key in soft certificates Multi Certificate configuration
IKEv2	–
Pre-Shared Secrets
Strong Authentication
PKCS#12 Interface for private key in soft certificates Multi Certificate configuration	–
One-Time Passwords and Challenge Response System; RSA SecurID Ready
Networking Features
Network Protocol
Auto Reconnect	–
VPN Path Finder	–
IP Address Assignment
Line Management
Data Compression
Other Features
UDP encapsulation
import function supporting file formats:*.ini, *.pcf, *.wgx und *.spd			–
Internet Society RFCs and Drafts
Internet Society RFCs and Drafts
Client Monitor
Intuitive GUI

Android Devices and NCP Solutions:

Universal VPN Clients for companies of all scales for Android Tablets and Smartphones

Do you own a mobile end device running on the Android 4.x operating system? Would you like to use it to securely access data on the company network via VPN? If your answer to both questions is "yes", NCP developed the perfect software for you: the NCP Secure VPN Clients for Android.

The following VPN clients for Android end-devices are available:

NCP managed Android Clients
	NCP Secure Enterprise Android VPN Client	NCP Secure Android Client Volume Edition	NCP Secure VPN Clients for Android
How to buy	specialist retailer / invoice	specialist retailer / invoice	Google Play / credit card
License Management	Yes	Yes	No
Configuration Management	Yes	No	No
Certificate Management	Yes	No	No
Multi-Tenancy	Yes	Yes	No
User	About 50 ot more	About 5 -50	Workstation
Management-Tool	Secure Enterprise Management	Volume License Server	No Tool

Managed Android VPN Clients

NCP's Secure Enterprise Android Client is part of the NCP Enterprise series and can be comfortably managed with NCP's Secure Enterprise Management. The client allows comfortable and highly secure remote access to the company network and it is compatible to IPsec gateways of various producers.

NCP's Volume License Server (VLS) is an additional tool for the Android VPN Client Volume Edition which is available for 5 + User. This tool simplifies license management.

NCP VPN Clients on Google Play

The VPN Clients NCP Secure VPN Client for Android and NCP Secure VPN Client Premium for Android are available on Google Play. The two IPsec VPN clients have been designed for private use or use in small scale environments containing only a small number of Android Smartphones or Tablet PCs. They are also compatible to all major IPsec VPN Gateways. Further information on NCP Google Play Store VPN Clients.

FAQs:

Can I import configuration files?

Yes, you can directly import configuration files (*.pcf, *.spd, *.wgx, *.ini) from other manufacturers or files (*.ini) exported by the NCP configuration exporter.

You further have the option to import the configuration file "ncpphone.cfg". Please note that this configuration file only contains the VPN profile for the communication medium LAN.

Please copy the file "ncpphone.cfg" to the "\NCP\Import" directory on the internal or external SD card of the Android phone. In Windows Clients this file is usually located in "C:\Program Files (x86)\NCP\Secure Client\". You can now import the configuration data from that file into the Android Client via the "Import / Export" option. If the file is located in the correct directory, the system displays the entry "ncpphone.cfg" and next to it a box which can be checked. Check this box and then press the "Back" button to leave the menu. With that, the configuration data has been imported correctly and a connection can be established.

How do I import a certificate?

Currently support is provided for a certificate stored in a PKCS#12 file located on the Android phone's internal or external SD card in the "\NCP\Import" directory.

Import the certificate into the Android Client using the "Import / Export" option (menu - Import / Export); select either "Import User Certificates" or "Import CA Certificates" dependent on the type of certificate being imported.

Finally, select the certificate as "Certificate" in the Profile settings.

What does the error message:
"Ike: NOTIFY : x : RECEIVED : NO_PROPOSAL_CHOSEN : 14" mean?

This error message means that the IPsec Phase 2 encryption settings are incorrect. Currently the Client only supports a limited list of proposals. If the VPN server requires a type of encryption not in that list, this error message will be generated when the Client attempts to establish a connection to the server. The facility to fully configure the settings will be implemented in the next version of the Client. In the interim, a workaround is to create the correct configuration ("ncpphone.cfg", see above) on a Windows Client and import that into the Android Client.

Is there an NCP Secure Client for Android versions earlier than V4.0?

Manufacturer dependent restrictions mean that, on Android versions earlier than V4.0, the NCP VPN Client can not be sourced from the Android Market and then installed in the normal way. To circumvent this problem, NCP has developed an NCP Secure Client that requires either a "rooted" device or a specially adapted Android kernel. NCP only supplies this product to hardware manufacturers or system integrators or for major projects.

Where do I store the Cisco parameters "Group Password" and "Group ID"?

Save the "Group Password" parameter as the "Pre-shared Key" in the NCP Android Client. Also, with connections to Cisco servers, "Exchange Mode" is then usually set to "Aggressive Mode".

Save the "Group ID" parameter as the "IKE ID", and then set the "IKE ID Type" to "Free string used to identify groups".

Does Google Play accept other methods of payment apart from credit cards or is there another ordering process?

Google Play only accepts credit cards. However, both NCP Enterprise Versions for Android operating systems are available through our reseller and partner.

How does the configurable connection mode of the Premium Client work?

The VPN tunnel always starts automatically without interaction with the user. If connection setup fails, the client tries to establish a connection every 20 seconds. In order to permanently disconnect the tunnel, the user should select a different profile, which has been configured for the manual connection mode. Please note that after cold booting the device, the user has to manually initiate the first VPN connection setup.

NCP's Secure VPN Client Premium automatically reconnects a VPN tunnel (auto-reconnect: default setting) if a connection has been interrupted or the communication medium has been changed (3G/WiFi). Under certain circumstances, however, for example with bad 3G reception, it might happen that the VPN reconnect fails and the connection remains disconnected. Users who wish a permanent VPN connection can counter this by setting the communication mode to "always". With that setting an established VPN connection will only be permanently disconnected if the user selects a different VPN profile.

Why does NCP's Secure VPN Client not work on my Android 4.x system?

NCP's Secure VPN Client requires a VPN-API, which has to be installed on the Android 4.x operating system. If the system displays an error message after installation of the client, please contact the manufacturer of your device or install the latest systems software or Android version; you will find both on the manufacturer's support websites.

Documentation:

Download the NCP Secure VPN Enterprise Client for Android Datasheet (PDF).