Understanding and using Knox VPNs

This article answers some of the basic questions you may have when trying to use VPNs with Knox.

What VPN encryption does Knox use?

Knox provides a comprehensive IPSec-based VPN solution for the most demanding enterprise requirements. Triple DES (56/168-bit), AES (128/256-bit) encryption with MD5 or SHA.

Can I configure VPN without a VPN client?

No. If you have a Knox Workspace license, download the Knox VPN Client before attempting to configure VPN.

Does the Knox VPN Framework call my service on device restart?

1. Does the Knox VPN framework call our VPN service on every device restart?
A: Yes

2. Can we expect a startConnection call from the Knox VPN framework on device restart even though we did not call the activate profile API?
A: Yes

3. When is the stopConnection called from the Knox VPN framework?
A: Few of the scenarios include:
- When admin calls deactivate profile
- When admin removes all the packages from the VPN profile

Should the VPN client be installed inside or outside the Knox container?

The VPN client can be installed inside and/or outside of the Knox container. If you have two containers created on your device, you can install the VPN client outside the Knox container so that it is available to both containers. On the other hand, if the VPN client is installed inside one container, the VPN client is not available to the other container.

How do I enable Dead Peer Detection (DPD) for VPN?

The Dead Peer Detection (DPD) feature is supported by the VPN gateway. The VPN connection is terminated automatically by DPD ACK from the gateway when no data is communicated through the VPN.

If the Mocana KeyVPN Client is being used, then DPD can be set by going to Advanced Settings >Enable > Dead Peer Detection.

How do I troubleshoot VPN configuration issues?

  1. After pushing the Knox VPN client via Samsung SDS IAM & EMM, verify that it appears on both the personal space and on the Knox container on users' devices.
  2. Verify that your VPN credentials are correct by manually setting up VPN in the personal space.
  3. Verify that you can connect to the Knox VPN gateway.
  4. If you can't connect to the Knox VPN gateway and:
    • you are connected to a firewall, change your access point and try again.
    • you aren't connected to a firewall, try to connect to any website using the device browser. If you can't access any of the websites, contact Samsung Knox Support.
  5. If the issue persists, capture log files and contact Samsung Knox Support.

Does the Samsung Knox platform support VPN chaining?

Yes, the Samsung Knox platform supports VPN chaining. However, the built-in Android VPN management for the Knox client doesn't support VPN chaining. VPN chaining on Samsung Knox devices requires a VPN client that has integrated with the Knox VPN framework, and an EMM that configures the VPN profile using the Samsung Knox SDK. Both the inner and outer VPN profiles need to be configured in specific ways for dual tunneling to work. Third-party VPN vendors with this integration are able to support VPN chaining.

After the Android 12 update, what VPN types are supported in the Knox platform?

The Knox platform only supports IPsec/IKEv2.