VPN Client for Android

Unanswered Question
Apr 9th, 2010

Hi!

We have got a couple of mobile phones with Android OS to our company.

We need a proper IPSEC VPN client to these Android phones, but cannot find any.

There are some IPSEC VPN clients on the market, but to use these you have to root the phone.

We have a ASA 5520 that works great with the Cisco AnyConnect client on Windows PC:s.

Will Cisco release a VPN client, like AnyConnect, that is compatible with Android?

Best Regards

Stefan

I have this problem too.
2 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.7 (17 ratings)
Jennifer Halim Fri, 04/09/2010 - 01:13

Not anytime soon. You might want to contact your cisco account rep. for the feature request.

sjweinstein Tue, 07/06/2010 - 15:38

Now that Cisco has an Andriod based tablet will they update the VPN client code?  The Iphone intergrated client works fine with ASA but not the one provided with Android phones.  We have a number of Android phones and are looing at Android tablets, without a VPN client they are not practical for most corps.

jhubel@midwave Wed, 09/01/2010 - 10:22

Stefan -

According to this TechWorld news article, AnyConnect support for Android will be coming by the end of 2010.  I think there are plenty of people waiting for it, myself included.  Cisco must have it almost ready because they've marketed their Android-wielding Cius tablet as having AnyConnect on it and the unit is supposed to begin shipping soon.

http://www.techworld.com.au/article/338085/cebit_cisco_develops_vpn_client_pcs_smartphones

Jeff

don.click1 Tue, 11/23/2010 - 14:17

its been a few months, but wanted to share that the Cisco Collaboration User group is showing a beta is available.

edraven88 Wed, 11/24/2010 - 13:33

What's the exact link to the beta discussion? I'm not finding it in search.

ice_nicolas Mon, 11/29/2010 - 03:35

Hi guys...any news on the new vpn client for android? I'm so wainting for this app to be released...and has anyone managed to try the beta?

ice_nicolas Thu, 12/02/2010 - 03:59

There will be a closed beta program that should launch in mid december...to register to the program you must register at Cisco Community Central and join the

Cisco Collaboration User Group.

Although it is said that membership is free, you actually have to be an employee or work for a company that is already a cisco customer or partener, and you must subscribe with the company's email and not your personal one. In my opinion this isn't much of a deal since it would be more efficient releasing closed betas to freelance betatesters as well, in order to increase overall feedback.

strangeroad Fri, 12/10/2010 - 08:40

We're all talking about two very different applications. There is currently no

beta for any kind of Cisco VPN client for Android. The beta availabile in the Collaboration Group is for Cisco Mobile 8.5 for Android which is nothing more than a telephony application which requires coeporate Wi-Fi access to function.

Sorry. I'm salivating for a VPN client as well.

-Mike

ice_nicolas Fri, 01/14/2011 - 09:22

Hello Mike, sorry to bother you (or everyone else on this thread) insisting on this matter further, but I just don't understand quite yet where Cisco is heading.

What do I mean?

Well...there's this Cisco Cius device (tablet) that keeps me wondering why isn't Cisco going for android support on vpnclient software...

The Cius should be released sometime this spring. Here are the specs of the device:

Applications Capabilities:

  • 802.11a/b/g/n Wi-Fi, 3G/4G data and Bluetooth 3.0 help     employees stay connected on and off-campus.
  • HD video (720p) with Cisco         TelePresence solution interoperability for     lifelike video communication with the simplicity of a phone call
  • Virtual desktop client enables  highly secure access     to cloud-based business applications
  • Android operating system, with access Android marketplace     applications
  • Collaboration applications including Cisco       Quad, Presence, IM and integrated, one-click access to WebEx Meeting Center

Tablet Highlights:

  • 7” diagonal, high-resolution color screen with contact-based touch     targets delivers an elegant, intuitive experience
  • HD media station supports Bluetooth and USB peripherals, 10/100/1000 wired     connectivity and a handset option
  • Detachable and serviceable 8-hour battery for a full day of work
  • Highly secure remote connections with Cisco AnyConnect Secure Mobility Client
  • HD audio with wideband support (tablet, HD media station)

Now the main two specs that interest me are (obviously):

- 802.11a/b/g/n Wi-Fi, 3G/4G data and Bluetooth 3.0 help     employees stay connected on and off-campus.

- Android operating system, with access Android marketplace     applications


And my final question/s:

Will I be able to access Internet through a wifi spot based on Cisco Systems servers, using a Cisco Cius? (seems a stupid question, I know) ...And if so, hence the fact that the two specs I last mentioned are available on the 99.9% of the smartphones that run on Android OS, why couldn't these Android devices do the same just as well?

Thank you for your patience,

Nicholas.

jldieckmann Tue, 01/18/2011 - 08:18

Word is, an AnyConnect client is supposed to be available this month for the Android platform.  I'm anxiously awaiting it as well, since I dumped WinMo months ago for a Droid X.  Once I can get the VPN client and a stable, usable RDP and VNC app, I'll be able to be on-call during weekends w/o having to cart my laptop everywhere.  Oh the possibilities!

CiscoMotive Fri, 01/21/2011 - 06:59

Maybe you knew that already, but it is possible to make the remote access VPN between an Android device and a Cisco ASA using L2TP/IPSec. Auhtentication needs to be certificate based though, no PSKs here. I just finished my configuration today, I have a Samsung Galaxy S and ASA 5510. After couple of weeks of trial and error, it seems to work flawlessly now.

jldieckmann Fri, 01/21/2011 - 07:08

Would you care to enlighten us as to how you did that?  Where did you get the certificate?  Did the ASA generate one and you imported it onto the phone?

CiscoMotive Sat, 01/22/2011 - 02:34

I used OpenSSL for generating the certificates. I guess it is also doable using Windows certificate tools, but have more experience using OpenSSL, so I found it easier. Basically, it goes like this;

- Create your own CA using OpenSSL.

- Import the CA cert in Cisco ASA.

- Create an identity certificate request in ASA. This certificate will identify the ASA when an IPSec connection is opened.

- Sign the mentioned identity certificate usin the CA created in the first step.

- Install the signed identity certificate in ASA, in the same trustpoint as for the CA certificate. At this point, ASA has two certificates: the CA's certificate, and the identity certificate of the ASA itself.

- Create a certificate request for the client (i.e. Android device) using OpenSSL. This certificate must have same OU as the ASAs identity certificate, because authentication is (partially) based on comparing those two certificates.

- Sign the certificate request using the CA created in the first step.

- Install the certificate in Android device.

I got this working just yesterday, and I have to document it in more detail anyway during the next week. (because I made the configuration as part of my job, not as a hobby or something ). I can then probably share at least relevant part of the document.

bimbalasas Thu, 01/27/2011 - 01:01

Hey Petteri,

are there any updates about the topic?

Currently I'm trying to terminate remote access VPN connection using L2TP / IPSec CRT from Android 2.2 VPN client. All the steps you've mentioned in your previous post regarding certificates were done. But connection fails on the phase 1. It seems that management connection is built, but tunnel isn't associated with any of the tunnel groups. Well, actually, it doesn't even try to associate with any. Connection debug log is attached and now I'm stuck looking at it. IKE is exchanging messages, and I can't identify the problem... I've got no clue at the moment, how to debug it further.

Any ideas and references would be very welcome.

Regards!

PIX-515E, 8.0(4)

Attachment: 
CiscoMotive Fri, 01/28/2011 - 06:05


Here is the first part, which is all about certificates.

1    Prerequisites


1.1    OpenSSL
Latest version of OpenSSL tools can be found from Shining Light Productions web site: http://www.slproweb.com/products/Win32OpenSSL.html. Download the full version for correct architecture, together with Visual C++ 2008 Redistributable package, and install both. Install OpenSSL to directory without any spaces in the path, e.g. C:\apps\OpenSSL. Select The Windows system directory when the installer queries about the installation location for OpenSSL DLLs. After installation, add the bin-directory of OpenSSL to the PATH-variable.


1.2    Cisco ASA Software Version
A Cisco ASA SW version 8.3(2).12 is needed. Without the correct version of the software, VPN connections from devices which are not behind a NAT device are unsuccessful. The exact symptom is that IPSec tunnel opens, but L2TP protocol exchange is not initiated correctly, thus leaving the tunnel unusable for such devices. For NATted devices the connections are successful also with standard ASA operating system version. It is probably necessary to have a valid support contract with Cisco to gain this software. Contact Cisco support with valid support ID.

2    Create and Install Certificates


2.1    Create a Certificate Authority


1.    Create a separate directory for CA and all related files, and change to that directory.
md C:\apps\OpenSSL\CA
cd C:\apps\OpenSSL\CA

2.    Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out CA_key.pem -des3 2048

3.    Create a self-signed certificate for the CA.
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem

To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:


Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = Some Unit
Common Name = IamTheCA
Email Address =

4.    Contents of the certificate can be checked as follows. At this point, CA is ready to start signing certificate requests from clients.
openssl x509 -in CA_crt.pem -noout -text

2.2    Create a Client Certificate Request


1.    Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out client_key.pem -des3 2048

2.    Create a certificate request for a client certificate.
openssl req -new -key client_key.pem -out client_csr.pem

To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:


Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = IT Support
Common Name = AndroidClient
Email Address =

Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "IT Support" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.


2.3    Sign the Client Certificate Using the CA


1.    To sign the client's certificate request using the CA's key, use the following command:
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair. Note that CAcreateserial -option does not need to be used on successive signing of certificate requests. It's only needed on the first time to initialize the sequence number file.

2.    Contents of the clients certificate can be checked as follows:
openssl x509 -in client_crt.pem -noout -text

3.    Transform the .pem-format certificate to a pkcs#12 file:
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem

4.    The pkcs#12 file is now ready to imported to an Android device.

2.4    Import the CA Certificate to Cisco ASA


1.    Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.


2.    Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.

3.    Click Install Certificate.

2.5    Create a Server Certificate Request


1.    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.

2.    Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "asagw" there.

3.    Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem".

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-ansi-language:EN-US; mso-fareast-language:EN-US;}

2.6    Sign the Server Certificate Request Using the CA

1.    To sign the server's certificate request using the CA's key, use the following command:

openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair.

2.    Contents of the certificate can be checked as follows:

openssl x509 -in server_crt.pem -noout -text

2.7    Install the Server Certificate in Cisco ASA


1.    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.

2.    Browse for the signed certificate file, and click Install Certificate.

3.    Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):

sh run crypto

In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:


crypto ca certificate chain OpenSLL_Trustpoint
certificate ca
   
  quit
crypto ca certificate chain Temporary_trustpoint
certificate
   

  quit

4.    Copy the certificate in the temporary trustpoint to the clipboard, starting from the line beginning with word "certificate" and ending to the line starting with "quit".


5.    Enter the configuration mode (command "conf ter") and modify the real trustpoint (named OpenSSL_Trustpoint in this example):
crypto ca certificate chain OpenSLL_Trustpoint

6.    Paste the certificate copied to the clipboard in step 4. Execute command "exit" to exit trustpoint configuration.


7.    Remove the identity certificate from the temporary trustpoint:
crypto ca certificate chain Temporary_trustpoint
no certificate
exit

8.    Remove the temporary trustpoint:
no crypto ca trustpoint Temporary_trustpoint

9.    At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain OpenSLL_Trustpoint
certificate
   
  quit
certificate ca
  

   quit

10.    Save config (exit, write memory). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.

stevenrp Mon, 02/07/2011 - 12:35

Petteri,

I've followed your instructions and at the ASA, when I try to connect via the Android phone I get:

Failed to retrieve identity certificate

and then...

Removing peer form peer table failed, no match!

I've done this three three times and I'm still receiving the above errors. Can you shed any light on this for me?

Thanks,

Rich

CiscoMotive Mon, 02/07/2011 - 23:03

I remember having the same error at some point, but I can't remember what was the reason. Can you post your configuration, I can then check it and maybe I can find something.

daniel.litwin Fri, 01/21/2011 - 07:45

I had a meeting with our Cisco security/voice/sales reps last week, and asked them point-blank about an anyconnect android client.

I was told that yes, in addition to the existing AnyConnect support on the Clie tablet, they are working on a native client for android.  It's in alpha/beta stage, and should be out by June if not sooner.

I'm disappointed that it's taken this long for them to roll one out, but I can be patient a little more.

I did find it interesting that most of the Cisco reps I've seen use Macbooks and iPhones.

-Dan

sjweinstein Thu, 01/27/2011 - 11:51

I asked  the same of our Cisco Security POC via our ASE and was told HTC and one other wil be the first two. 

Jan Nohejl Fri, 02/11/2011 - 08:59

I don't believe that Cisco will have VPN client for Android so soon. The problem is, that it needs TUN support in kernel for creating virtual tun0 interface for vpn connections. IMHO it depends on Google or manufacturers to add support to kernel.

Google natively uses L2TP/IPSec for VPN connections and ASA can also, so you can build a VPN on L2TP. L2TP uses PPP protocol, so the virtual interface is created with PPP support (ppp0 interface)

Thanks to Petteri Heinonen for guideline. If someone do not want to use certificate, you can use preshared key in DefaultRAGroup tunnel group. You can even allow users to connect to specific connection profiles (tunnel groups) instead of the default connection profile (DefaultRAGroup). This allows the client to retrieve AAA and PPP attributes from that specific connection profile rather than the default connection profile. To do this, users send their username as username@groupname.

For more info see link

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/l2tp_ips.html#wp1074591

I have working configuration, it works perfectly. I don't need Cisco VPN klient anymore

mj6833 Wed, 02/16/2011 - 11:46

Hi Jan.  Thanks for your post.  I have upgraded an ASA 5540 to 2GB memory and ASA version 8.3.2.13.  I followed the configuration link you posted, but am still striking out getting an Android tablet connected with L2TP/IPSEC.  The ASA DefaultGroup is using RADIUS authentication.  The two primary errors I am seeing are that AAA: Authentication Failure (which I have verified is working for typical IPSEC tunnel groups) and Session Terminated:L2TP Initiated.  I have L2TP/IPSEC enabled on the default tunnel group and associated tunnel group policy.  I have a crypto map configured for transport mode.  Any suggestions on what I could be missing here to get this working.  Appreciate any assistance.

Thanks

Mark

CiscoMotive Thu, 02/17/2011 - 00:13

Hi, when using local users I had to enable this: "User authenticated using MSCHAP" for the user.

I also remember that there was some restrictions related to what authentication methods
were available for RADIUS and LOCAL users. Maybe MSCHAP is not possible through RADIUS? I propose that you try first with a local user, to see if everything else is ok. The error message about L2TP initiated session tear down is probably just a result of unsuccesfull authentication.

Jan Nohejl Thu, 02/17/2011 - 00:30

Hi, exactly my words!

I tried to use tacacs+ as authentications server and it works perfecty. Try to use local auth.

The first syslog message is authentication error and the second is disconnect message related to the authentication error.

hoytmann Thu, 03/24/2011 - 08:10

I have set mine up with both via certs and PSK, howerver I don'

t seem to be passing the user/pass from the driod. I've tested via windo

ws and it works great, but seems to be an issue with the droid. an

y special settings I may be missing?

Got it working, it was the ASA code, upgraded to 8.4.

Jan Nohejl Tue, 03/29/2011 - 07:13

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normální tabulka"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Problem seems to be in implementation of L2TP/IPSec client on Android phone, which violates RFC 3193 (RFC 3193 says IKE Phase 2 ID need to have "specific" port numbers) Android client negotiates port 0 (meaning any) in IKE phase 2 and later on uses a ephemeral port as the source port for l2tp which is not correct (it is supposed to negotiate a specific port and use it as the source port for l2tp) based on the RFC. ASA code does not allow this due to the filter rule installed.

For the non-NAT case ASA originally used the port the peer negotiated in IKE phase 2 in its filter rules and defaulted to 1701 if the peer negotiated 0 meaning "any". After the fix, that behavior has changed so now ASA allows any l2tp source port from the peer if the peer negotiated 0.

For the NAT case this issue does not arise because ASA uses the peer's IKE source port to implement its filter rules. It needs to be done this way in order to be able to distinguish between multiple peers behind a NAT device that may be using the same l2tp source port.

Mentioned was incorporated in interim CCO release 8.3.2.13 and CCO release 8.4.1

CiscoMotive Fri, 01/28/2011 - 06:28

And here is the config I am using. Note that some password, IPs, certificates have been removed, so this cannot be copy-pasted to an

ASA as such.

ASA Version 8.3(2)12
!
hostname asagw
domain-name somedomain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 11.12.13.14 255.255.255.224
!
interface Ethernet0/1
nameif LAN
security-level 10
ip address 10.0.0.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-12-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name somedomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN-network
subnet 10.0.0.0 255.255.0.0
description LAN network / 16
object network RA-VPN-network
subnet 10.60.0.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool android_vpn_pool 10.60.0.1-10.60.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source static LAN-network LAN-network destination static RA-VPN-network RA-VPN-network
nat (WAN,WAN) source dynamic RA-VPN-network interface
nat (LAN,WAN) source dynamic LAN-network interface
route WAN 0.0.0.0 0.0.0.0 11.12.13.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANSP mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANSP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map WAN_dyn_map 65535 set transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto ca trustpoint OpenSSL_Trustpoint
enrollment terminal
crl configure
crypto ca certificate chain OpenSSL_Trustpoint
certificate
   
  quit
certificate ca
   
  quit
crypto isakmp enable WAN
crypto isakmp policy 20
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 10.0.0.0 255.255.0.0 LAN
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 46.183.73.2 source WAN prefer
ntp server 81.22.244.161 source WAN
webvpn
group-policy "IT Support" internal
group-policy "IT Support" attributes
dns-server value 4.5.6.7, 8.9.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec
username androiduser password xxxxxxxx nt-encrypted
username androiduser attributes
service-type remote-access
tunnel-group "IT Support" type remote-access
tunnel-group "IT Support" general-attributes
address-pool android_vpn_pool
default-group-policy "IT Support"
tunnel-group "IT Support" ipsec-attributes
peer-id-validate nocheck
trust-point OpenSSL_Trustpoint
isakmp keepalive disable
tunnel-group "IT Support" ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:01757bd290ed81bbaa7f9bf432e3024c
: end

CiscoMotive Fri, 01/28/2011 - 09:39

As last part, a short checklist about all the locations that need some configuration in ASDM:

Create IPSec Transform sets

Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. See details in the config example above.

Create IKE Policy

A specific IKE Policy is needed. Configure a policy with these values:

Encryption: 3DES

Hash: SHA

Authentication: rsa-sig

D-H Group: 2

Check IKE Parameters

Check that IKE is enabled on WAN interface, and that NAT-T is enabled.

Configure the Crypto MAP

Create a dynamic crypto map with priority 65535. Make sure that NAT-T is enabled on Advanced tab. Do not enable Perfect Forwarding Security. If there is a need to connect to this same VPN connection with pure IPSec (i.e. non-L2TP) client, then some tunnel mode transform sets must be added also. This is beneficial if for example Shrew VPN client is used for testing the setup.

Add a local user

Make sure to check "User authenticated using MSCHAP" for the user.

Create an address pool

Nothing special here, just create a pool for client to get addresses.

Create VPN Group Policy

Under More Options, enable only L2TP/IPSec tunneling protocol. If there is a need to connect with a pure IPSec client (such as Shrew VPN) enable also IPSec. In the Servers, configure DNS Servers to be used by the clients. All other values can be left as "Inherit".

Create IPSec Connection Profile

•    Give a descriptive name for the VPN connection. Remember that the connection name must match the OU field in the DN of client certificates.
•    Do not configure any Pre-shared key. Instead, select the correct certificate in the Identity Certificate field.
•    Select LOCAL as Server Group under User Authentication.
•    Select correct Client Address Pool.
•    Select the correct Group Policy, created in the previous section.
•    Select Enable L2TP over IPSec protocol. If there is a need to connect with pure IPSec clients as well, enable also IPSec protocol.
•    Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
•    Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
•    Under Advanced - PPP, select only MS-CHAP-V1, MS-CHAP-V2 and PAP.

Add NAT exempt rules

NAT exempt rules are needed so that traffic between the VPN clients and internal/LAN -network are not NATted. This is part of basic remote access configuration, and is not explained in more detail here.

MarkoTanaskovic Thu, 04/07/2011 - 03:23

I tried to configure the ASA with 8.2.4 code for operation with Android native IPsec over L2tp, without much success. I will not go into detail, as this has been explained in previous posts by other members. The 8.4.1 code works perfectly, with or without NAT devices in between. The authentication is done through Cisco ACS, using RADIUS protocol, with downloadable access lists as to impose some limitations on different categories of users. I tested with up to 10 Android phones of different vendors ( Dell streak, Samsung Galaxy, HTC Desire, ... ) at the same time, without problems.


Has anyone implemented this on a Cisco router ( 2821 router running 12.4.24T  code with Advanced IP services featureset ) ?  I am about to test this, so any recommendations are welcome.

patrik.spiess Thu, 04/07/2011 - 03:30

Hi Marko (or others)

I also was able to connect our Androids over L2TP.

But authentication only works with local users. As soon as I reconfigure it to use RADIUS it seems that the ASA does not send a passwort in the AuthReques package and the authentication fails.

Are there any hints, how to do it with RADIUS authentication?

Thanks

Patrik

MarkoTanaskovic Thu, 04/07/2011 - 03:39

This is what happened to me with 8.2.4 code. I ran some AAA debugs of 8.2.4 vs 8.4.1 and clearly saw that the 8.2.4 simply stops, and then times out.

I do know what code you are running. No additional hints for AAA. Works both ways for me, locally and over an AAA server.

patrik.spiess Thu, 04/07/2011 - 03:43

Sorry, I forgot to mention that I also run 8.4(1).

So I have to debug it further. Or Maybe you could paste an anonymized copy of your AAA config?

but thanks anyway

Patrik

MarkoTanaskovic Thu, 04/07/2011 - 03:59

Hi Patrik,

I would first try the test aaa command to see if the aaa srver is responding normally ( assuming this is a new installation, of course ). If nothing happens, perhaps, you are missing authentication methods in the tunnel group config:

tunnel-group DefaultRAGroup general-attributes
...
authentication-server-group RADIUS LOCAL

....

The config for AAA is rudimentary :

SecLabASA# sh run aaa
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

...

SecLabASA# sh run aaa-server
aaa-server RADIUS protocol radius
aaa-server RADIUS (lab_lan) host A.B.C.D
key 8 ********************

...

If nothing "debugs" :-) it is usually some misconfig on the ASA.

Regards, Marko

patrik.spiess Thu, 04/07/2011 - 06:00

Hi Marko

Thanks for your answers.

It seems I found the reason it doesn't work for me. We use freeradius as RADIUS server. The Authentication Android uses for L2TP seems to be MS-CHAP with challange/response. And theese to are not compatible with each other.

The mentioned article says:

"MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else."

So, the ASA seems not to be the root cause.

regards

Patrik

MarkoTanaskovic Fri, 04/08/2011 - 03:16

Hi Patrik,

I am glad you solved the problem.

I am now working on the same thing for the Cisco router :-)

Regards,

Marko

lmcruzhsa Mon, 05/23/2011 - 10:29

Config for finish a VPN connection against a Cisco router from an Android device:

vpdn enable
vpdn multihop
vpdn logging
vpdn history failure table-size 50
!
vpdn-group L2TP-VPN
accept-dialin
  protocol l2tp
  virtual-template 1
terminate-from hostname anonymous
lcp renegotiation always
no l2tp tunnel authentication
l2tp tunnel password 7 XXXXXXXXXXXXX
l2tp tunnel framing capabilities all
l2tp tunnel bearer capabilities all
l2tp ip udp checksum
ip pmtu 
ip mtu adjust

l2tp congestion-control

interface Virtual-Template1
description Templates for VPNs from Androids
ip unnumbered FastEthernet0/0.XXXXXXXXXXXX
ip verify unicast source reachable-via rx
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp header-compression
ntp disable
peer ip address forced
peer default ip address pool XXXXXXXXX
keepalive 5 2
ppp mtu adaptive
ppp encrypt mppe auto
ppp authentication chap pap ms-chap ms-chap-v2

! hostname of your router in the next XXXXXXX
ppp chap hostname XXXXXXXXXXX
ppp ipcp header-compression ack
ppp ipcp address required
ppp ipcp address unique
no clns route-cache

IOS running: c2600-advsecurityk9-mz.124-15.T13.bin

HTC: HTC Desire Z

Things to consider before copy & paste in your scenario:

- IP forced for the VPN from AAA (not detailed here in this post)

- AAA auth configured in my scenario, not detailed here neither

- I have a VRF scenario here, not detailed neither in this post.

- Fields you can replace with XXXXXXXXXX

- Pool configuration not defailed, but easy to find from any PPP template or cisco documentation.

Last notes:

- Android 2.x doesnt support double factor auth. I mean, user+passwd and group+passwd. So, VPN against something like VPN3000 device is not going to work, I dont know if this applies to ASA too.

- Cisco is not going to release a VPN client -as far as I know- out of its Android products because it requires low level changes.

- No rooted device required, this template works with the HTC default firmware.

LuisMi

hebaerte Mon, 06/27/2011 - 14:03

First of all, Many thanks to Petteri and Luis for helping out so many users!

Now for some news...

June 27, 2011

We are pleased to announce that the Cisco AnyConnect Secure Mobility Client is the first 3rd party (and only SSL) VPN client available for Samsung Android devices. 

Customers may download the Cisco AnyConnect Secure Mobility Client directly from the Android Market.

Supported Devices:

Galaxy S model GT-I9000 (Gingerbread Maintenance Release)

Galaxy S model SC-02B (Gingerbread Maintenance Release)

Galaxy S II model GT-I9100

Galaxy S II model SC-02C

AnyConnect is also supported on Tab 7 running Android 2.3.3+ or Galaxy Tabs 8.9 and 10.1 running Android 3.0+.

Software Access:

https://market.android.com/details?id=com.cisco.anyconnect.vpn.android

Users Guide:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/android-user/guide/android-acug.html

Release Notes:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/rn-ac2.4-android.html

Licensing and Infrastructure Requirements:

AnyConnect for Android requires Cisco Adaptive Security Appliance (ASA) Boot image 8.0(4) or later.

For  licensing questions and evaluation licenses, please contact  ac-mobile-license-request (AT) cisco.com and include a copy of "show  version" from your Cisco ASA.

If you already have an Essentials or Premium ASA license, you may use the automated license request tool at:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717

The  ASA requires an AnyConnect Mobile license (L-ASA-AC-M-55XX=), as well  as either an AnyConnect Essentials (L-ASA-AC-E-55XX=) or AnyConnect  Premium Clientless SSL VPN Edition (L-ASA-AC-SSL-YYYY=) license, where  XX is the last two digits of your ASA model number and YYYY is the  number of simultaneous users. AnyConnect Mobile and Essentials licenses  are enabled per ASA, there is no per user charge for either of these  licenses.

lmcruzhsa Sat, 02/11/2012 - 12:14

Hi Mebaro815,

I would like to give you an inmediate answer, but, the scenario I have here is...

2621xm with ipsec over tunnel gre interface (is a VTI with ipsec config), and in the same router, a virtual-template for L2TP and the Androids...

You wrote two "interface Virtual-Template10" interfaces, it makes me confused.

Can you explain it?

do you have logs? logs from debugs?

I expect no NAT between client and vpn server... but can you confirm it?

mebaro815 Wed, 02/08/2012 - 11:15

Hi Luis!

I hope you're still around...

I configured L2TP/IPSEC on my 2811 router and it worked great eve using RADIUS to authenticate against my domain. The only problem I have is when I enabled L2TP I seem to have disabled isakmp-ipsec. We can no longer connect from Cisco VPN Client on Win PC and i-devs. Do you know how I can get my two worlds to coexist?

Here is my config (cleaned up):

vpdn enable

!

vpdn-group 1

accept-dialin

  protocol l2tp

  virtual-template 10

source-ip xx.xx.xx.xx

source vpdn-template 10

l2tp security crypto-profile l2tp keep-sa

l2tp tunnel hello 15

no l2tp tunnel authentication

l2tp tunnel timeout no-session 5000

crypto isakmp key xxxxxxxxx address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp profile vpn-isakmp-profile

   match identity group RemoteUsers

   client authentication list sdm_vpn_xauth_ml_16

   isakmp authorization list sdm_vpn_group_ml_17

   client configuration address initiate

   client configuration address respond

crypto dynamic-map SDM_DYNMAP_1 2

set transform-set esp-aes-sha

set isakmp-profile vpn-isakmp-profile

reverse-route

crypto map SDM_CMAP_1 50 ipsec-isakmp profile l2tp

description Ebix-Mobil-Connect

set transform-set ESP-3DES-SHA2 ESP-AES-SHA3 ESP-3DES-SHA4

interface Virtual-Template10

ip unnumbered FastEthernet0/1

ip mtu 1400

ip tcp adjust-mss 1200

peer default ip address pool SDM_POOL_5

ppp mtu adaptive

ppp timeout idle 5000

crypto dynamic-map SDM_DYNMAP_1 2
set transform-set esp-aes-sha
set isakmp-profile vpn-isakmp-profile
reverse-route

crypto map SDM_CMAP_1 50 ipsec-isakmp profile l2tp
description Mobil-Connect
set transform-set ESP-3DES-SHA2 ESP-AES-SHA3 ESP-3DES-SHA4

interface Virtual-Template10
ip unnumbered FastEthernet0/1
ip mtu 1400
ip tcp adjust-mss 1200
peer default ip address pool SDM_POOL_5
ppp mtu adaptive
ppp timeout idle 5000

Thanks!  Max

daniel_boubeta Wed, 05/25/2011 - 08:49

Hi all!

I have followed luis cruz instructions and I have connected my Samsung Galaxy S (with android 2.3.3) to my Cisco 877 (with IOS 15.1(1)T2) with a L2TP VPN. The only thing I have to change was the line "ppp authentication chap pap ms-chap ms-chap-v2" to "ppp authentication ms-chap"

Regards,

Dani

lmcruzhsa Thu, 05/26/2011 - 01:48

Nice to see it is working for more people.

I forgot to comment that the same config also works with HTC Desire HD.

daniel.litwin Wed, 06/29/2011 - 06:45

I guess this is OK news, but what about all the other non-Sansung android devices?  Still seems like a half-baked solution.  I don't mean to be rude, but Cisco has been dragging their feet on this for over a year.  Regardless of wether the problem lies with Cisco or with Android-splintering, as some would suggest, the fact remains that this is a key piece of missing software on the Android platform.

It makes Cisco look bad because end-users say "Well, Apple can do it."  CEO/CIOs don't really care about the details when you tell them their device doesn't work.

just a comment.

dannon

lmcruzhsa Thu, 06/30/2011 - 00:59

Google knows that Android is not mature enough for corporate market, so the latest releases of Android are putting a bit more focus on that -as far as I know-, one of the consequences of that would be the release from Cisco including support for Gingerbread.

In the other hand, push a company, Juniper, Nortel, Cisco.... to develop a vpn client -which requites low-level changes and for sure administrative/root permissions- is not something easy without compromise the whole android firmware-image.

Not the latest update but... look:

http://static.intomobile.com/wp-content/uploads/2010/09/android-gains-corporate-market1.jpg

I dont know with all the details how are working the privileges under android but so far, in the htc desire Z, 'su' not working, 'sudo' not working... pam? I didn't research about it.

Nowdays the only solution you could have for previous releases is to root the device, and after that, install a software or a new image with maybe other features.

Anyway, the situation looks better, the step from Cisco is postive.

L2TP configuration should be fine if you can deploy it, I have the L2TP config here deployed in all HTCs with Android and the IP address plan as well the user profiles is fully transparent to the user, I mean, quite smooth, same usernames, for the ipsec vpns aswell the l2tp, same ips -means no changes per ip/user un the firewall-, automatic next-hop routing with RIP... pretty pretty smooth.

Maybe a commercial idea would be to do VPN gateways for this issue and sell services but I think I was checking that and it is being sold right now over the net, and also, who would like to finish the VPN in a third party box? not me.

PD: I would like a pure VPN Cisco VPN client and support for Novell GroupWise but... c'est la vie.

psd Thu, 06/30/2011 - 05:31

Cisco would like to be able to offer AnyConnect for ALL Android platforms as it would have been roughly the same amount of engineering work for us as supporting our first partner.  Unfortunately this is not possible as stock Android (both Gingerbread and Honeycomb) do not allow for 3rd party VPN clients. 

If you would like to put in a kind word for this request, you may do so at:

http://code.google.com/p/android/issues/detail?id=9160

paultribe Wed, 06/29/2011 - 07:14

Here are extracts from ASA 8.4(2) release notes that mention Androids if it helps, see: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html:

New features in 8.4(2)

AnyConnect Identification Extensions for Mobile Device Detection

You can now configure the ASA to permit or deny VPN connections from endpoints with an AnyConnect Essentials license on a per-dynamic access policy (DAP) basis. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod versions 2.5.x and AnyConnect for Android versions 2.4.x. It is not required to enable CSD to configure these specific attributes via ASDM.

The feature is also present in Version 8.2(5).

L2TP/IPsec support for Android

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1 or later operating system.

We did not modify any commands.

Also available in Version 8.2(5).

This feature is also in 8.4(1).

SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients

ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.

We did not modify any commands.

Also available in Version 8.2(5).

New features in 8.4(1)

L2TP/IPsec Support on Android Platforms

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client.

Requirements:

Mobile devices must be using the Android 2.1, or later, operating system.

The ASA must be running the ASA Release 8.4(1) or later.

Actions

Login or Register to take actions

This Discussion

Posted April 9, 2010 at 12:57 AM
Stats:
Replies:70 Avg. Rating:4.66667
Views:630052 Votes:2
Shares:41

Related Content

Discussions Leaderboard