android and pix 501

Unanswered Question
Oct 25th, 2011

Has anyone successfully configured a Pix 501 to communicate to a LG Pheonix (I'm assuming android OS) via a L2TP/IPSEC vpn?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
seanwaite Tue, 10/25/2011 - 10:53

Yes, I have a Samsung Infuse (Android Froyo) connected to ASA5510 and ASA5505. Because of the way our L2TP RA are set up I had to edit init.rc located in the root of the filesystem, and then added routes to the remote network.

For the Android settings I simply set the VPN name, ASA Address, and then PSK and connected (prompted for log in of course).

I should add that if you need to add static routes to your device, you will need to root it. I had to root my device, then copy init.rc to SD card and edit it, then copied it back overwriting the old. Once that was done I could access the remote side.

If your not familiar with how to root your device I would suggest taking a look at tutorials and FAQs over at XDA forum - http://forum.xda-developers.com/forumdisplay.php?f=836. Looks like the LG Phoenix is under LG Optimus/P500 section.

jgadbois Thu, 10/27/2011 - 07:53

Actually I was looking for a sample config for a Pix 501.  I've found some for the ASA and tried modifying them for the 501 with little success (changing IKE and IPSEC parameters).  It's funny, but Sonicwall has a tech article specifically dealing with the Android OS with all of the steps necessary to make a connection.

jgadbois Fri, 10/28/2011 - 12:18

Seems like such a simple question but I guess no one has ever tried this.  I'm now wondering if it's even possible?

jgadbois Sun, 10/30/2011 - 09:04

Nobody....Anybody?  Okay, I now declare that a Pix 501 and Android cannot connect!

seanwaite Mon, 10/31/2011 - 12:37

Our current working config relevent to L2TP:

access-list NO_NAT extended permit ip 10.10.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list REMOTE_RA extended permit ip any 192.168.100.0 255.255.255.0

nat (Inside) 0 access-list NO_NAT

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES192_SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_MAP interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.10.1.20 10.10.1.23

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value REMOTE_RA

default-domain value ******.com

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup general-attributes

address-pool L2TP

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 2

Actions

Login or Register to take actions

This Discussion

Posted October 25, 2011 at 9:24 AM
Stats:
Replies:5 Avg. Rating:
Views:1331 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard