- Basics
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
This article answers some of the basic questions you may have when trying to use VPNs with Knox.
What VPN encryption does Knox use?
Knox provides a comprehensive IPSec-based VPN solution for the most demanding enterprise requirements. Triple DES (56/168-bit), AES (128/256-bit) encryption with MD5 or SHA.
Can I configure VPN without a VPN client?
No. If you have a Knox Workspace license, download the Knox VPN Client before attempting to configure VPN.
Does the Knox VPN Framework call my service on device restart?
1. Does the Knox VPN framework call our VPN service on every device restart?
A: Yes
2. Can we expect a startConnection call from the Knox VPN framework on device restart even though we did not call the activate profile API?
A: Yes
3. When is the stopConnection called from the Knox VPN framework?
A: Few of the scenarios include:
- When admin calls deactivate profile
- When admin removes all the packages from the VPN profile
Should the VPN client be installed inside or outside the Knox container?
The VPN client can be installed inside and/or outside of the Knox container. If you have two containers created on your device, you can install the VPN client outside the Knox container so that it is available to both containers. On the other hand, if the VPN client is installed inside one container, the VPN client is not available to the other container.
How do I enable Dead Peer Detection (DPD) for VPN?
The Dead Peer Detection (DPD) feature is supported by the VPN gateway. The VPN connection is terminated automatically by DPD ACK from the gateway when no data is communicated through the VPN.
If the Mocana KeyVPN Client is being used, then DPD can be set by going to Advanced Settings >Enable > Dead Peer Detection.
How do I troubleshoot VPN configuration issues?
- After pushing the Knox VPN client via Samsung SDS IAM & EMM, verify that it appears on both the personal space and on the Knox container on users' devices.
- Verify that your VPN credentials are correct by manually setting up VPN in the personal space.
- Verify that you can connect to the Knox VPN gateway.
- If you can't connect to the Knox VPN gateway and:
- you are connected to a firewall, change your access point and try again.
- you aren't connected to a firewall, try to connect to any website using the device browser. If you can't access any of the websites, contact Samsung Knox Support.
- If the issue persists, capture log files and contact Samsung Knox Support.
Does the Samsung Knox platform support VPN chaining?
Yes, the Samsung Knox platform supports VPN chaining. However, the built-in Android VPN management for the Knox client doesn't support VPN chaining. VPN chaining on Samsung Knox devices requires a VPN client that has integrated with the Knox VPN framework, and an EMM that configures the VPN profile using the Samsung Knox SDK. Both the inner and outer VPN profiles need to be configured in specific ways for dual tunneling to work. Third-party VPN vendors with this integration are able to support VPN chaining.
After the Android 12 update, what VPN types are supported in the Knox platform?
The Knox platform only supports IPsec/IKEv2.
