ASA: Configuring the Native L2TP-IPSEC Droid client

Document

Aug 6, 2011 3:21 PM
Aug 6th, 2011

This document has been migrated to cisco.com. Please refer to the following document for the latest updated version:

ASA and Native L2TP-IPSec Android Client Configuration Example

Introduction

L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.


Prerequisites

1. Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Android L2TP/IPsec requires ASA version 8.2.5 or greater, 8.3.2.12 or greater, 8.4.1 or greater
  • ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
  • Licensing Requirements for L2TP over IPsec

2. Configure

This section describes the information you need to configure the features described in this document.

To configure the L2TP/IPSec connection on the Droid:

  1. Open the menu and choose Settings
  2. Select Wireless and Network or Wireless Controls, depending on your version of Android
  3. Select VPN Settings
  4. Select Add VPN
  5. Select Add L2TP/IPsec PSK VPN
  6. Select VPN Name and type in a descriptive name
  7. Select Set VPN Server and enter a descriptive name
  8. Select Set IPSec pre-shared key
  9. Uncheck Enable L2TP secret
  10. Open the menu and choose Save

To configure the L2TP/IPSec connection on ASA:

The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.

  • IKEv1 phase 1—3DES encryption with SHA1 hash method.
  • IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
  • PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
  • Pre-shared key

**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.

  1. Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
  2. Create an internal group-policy .
    1. define the the tunnel protocol to be l2tp-ipsec
    2. configure a dns server to be used by the clients
  3. Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
  4. Define the general-attributes of the tunnel group that will be used
    1. Map the defined group policy to this tunnel group
    2. Map the defined address pool to be used by this tunnel group
    3. modify the authentication-server group if you want to use something other than LOCAL
  5. Define the pre-shared key under the ipsec attributes of the tunnel group to be used
  6. Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
  7. Create a transform set with a specific ESP encryption type and authentication type
  8. Instruct IPsec to use transport mode rather than tunnel mode.
  9. Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
  10. Create a dynamic crypto map and then map it to a crypto map.
  11. Apply the crypto map to an interface
  12. Enable ISAKMP on that interface

3. Configurations

The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:

Configuration Example Using ASA 8.2.5 or later:

ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes

            dns-server value 4.2.2.2

            vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

            default-group-policy l2tp-ipsec_policy

            address-pool l2tp-ipsec_address

tunnel-group DefaultRAGroup ipsec-attributes

            pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

            no authentication pap

            authentication chap

            authentication ms-chap-v1

            authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto dynamic-map dyno 10 set transform-set set trans

crypto map vpn 65535 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

            authentication pre-share

            encryption 3des

            hash sha

            group 2

            lifetime 86400

Configuration Example Using ASA 8.3.2.12 or later:

ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes

            dns-server value 4.2.2.2

            vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

            default-group-policy l2tp-ipsec_policy

            address-pool l2tp-ipsec_addresses

tunnel-group DefaultRAGroup ipsec-attributes

            pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

            no authentication pap

            authentication chap

            authentication ms-chap-v1

            authentication ms-chap-v2

crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport

crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

            authentication pre-share

            encryption 3des

            hash sha

            group 2

            lifetime 86400

Verify

Use these commands to confirm that your connection works properly.

  • show run crypto isakmp(8.2.5)
  • show run crypto ikev1(8.3.2.12+)
  • show vpn-sessiondb ra-ikev1-ipsec (8.3.2.12+)
  • show vpn-sessiondb remote (8.2.5)

Related Information

  1. For more generic information related to configuring l2tp-ipsec on ASAs please refer to: Configuring L2TP over IPsec
  2. For more information about new features added in 8.4 code please refer to: Release Notes for the Cisco ASA 5500 Series, Version 8.4(x)
  3. This document does not detail how to deal with natting on ASAs running software 8.3.2.12 or higher. For that please refer to the following documents:
    1. Official NAT 8.3 Documentation
    2. ASA Pre-8.3 to 8.3 NAT configuration Examples

Known Caveats

  1. CSCtq21535 - when connecting to a headend running ASA 8.4.1 the ASA may crash.
Average Rating: 5 (2 ratings)

Comments

boehmd@rrz.uni-... Thu, 09/29/2011 - 01:09

Thank you for this document. It really helped me implementing VPN-Support for Android devices. But there are some minor errors:

The name of transform-set configured in the example for 8.3.2.12 is my-transform-set-ikev1 but the dynamic-map uses the name trans.

The transform-set use 3des in the first example and only des in the second. Besides this, why don't you just recomend aes?

Some problems I encountered during implementation was the combined use of tunnel and transport mode.

I found out, that this is only possible if they are both configured to only one dynamic-map using the different transform-sets. When using multiple dynamic-maps or crypto-maps using priorities only the one with the higher priority matched resulting in the log message "All IPSec SA proposals found unacceptable!"

I would have liked an information that changing the dynamic-map results in an immediate disconnect of all IPSec sessions.

I hope these advices help others during implementation.

atbasu Mon, 10/03/2011 - 08:06 (reply to boehmd@rrz.uni-...)

Hi, thanks for the feedback and pointing out the error. I had it fixed.

Now regarding your other queries:

1. I just happened to choose DES and 3DES cause I had used them before in my lab and it's what I usually use. There are no problems that I am aware of but it isn't something i've tesetd either.

2. It might be worth exploring the problem you are facing with dynamic maps requiring different transform-sets, by opening a case with Cisco TAC.

3. what kind of changes did you make to the crypto map? Did you modify the crypto map that was being used by the tunnel?

jgadbois Thu, 10/27/2011 - 07:46

Great document but lines 3,4,5 are all bunched together and therefore I can't read them.  Can you repost?

atbasu Thu, 10/27/2011 - 07:55 (reply to jgadbois)

hi, I don't see the error myself, could you try increasing the size of the text on your page to see if that resolves the issue? In that case I can increase the size of the font to make it more readable.

jgadbois Thu, 10/27/2011 - 07:57

I tried a larger size with no luck.  It's like those three lines are running together, maybe missing CRs or something.

jgadbois Thu, 10/27/2011 - 07:59

I just did a view as a pdf and they now come out okay.  Thanks for the response.

atbasu Thu, 10/27/2011 - 08:14 (reply to jgadbois)

Sorry I couldn't help more, it has to do with the way your browser is rendering it, because on chrome(which I am using) All the lines are well spaced out and visible clearly.

giovannitorres Tue, 11/01/2011 - 09:06

There is an small extra set in crypto dynamic-map dyno 10 set transform-set set trans. Otherwise, these instructions worked great for me!

Although, I'm still not 100% because I can connect, but packet-tracer shows packages drop. But, I think this is related to my own configuration.

I had to add a foo/bar user to be able to test:

username foo password bar mschap

In any case, thank you! These are the best instructions I have found. Now, if only I could see something similar for iPhone/MacOSX/iPad.

Steve Rodrigue Wed, 08/15/2012 - 12:44

I revive the thread! 

Could it work with ASA 8.2.1?

I've mashed your template with my customer firewall configuration and plan to test it. I wish it will work with the software revision actually running.  Thanks for your document!

atbasu Sat, 08/18/2012 - 12:29

Steve, the L2TP client is only supported as of ASA 8.2.5, any 8.2.x code prior to this isn't supported. While this doesn't mean that it won't work, it definitely means there is a high likelihood it won't because the ASA code was not designed to support it at that stage. Just an FYI, this document has now been verified and become an official Cisco Document:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7540.shtml

vsgchris33 Thu, 11/07/2013 - 03:31

Hi,

I tried it too but could not connect with my android 4 tablet to my ASA5505 9.1.2.

Here is the log output :

4     Nov 06 2013     20:49:33     113019                         Group = DefaultRAGroup, Username = , IP = 192.168.0.1, Session disconnected. Session Type: IPsec, Duration: 0h:00m:02s, Bytes xmt: 803, Bytes rcv: 771, Reason: L2TP initiated

5     Nov 06 2013     20:49:33     713259                         Group = DefaultRAGroup, IP = 192.168.0.1, Session is being torn down. Reason: L2TP initiated

6     Nov 06 2013     20:49:33     602304                         IPSEC: An inbound remote access SA (SPI= 0x384D5B3D) between 192.168.0.1 and 192.168.0.100 (user= DefaultRAGroup) has been deleted.

6     Nov 06 2013     20:49:33     602304                         IPSEC: An outbound remote access SA (SPI= 0x00D4C9B6) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been deleted.

6     Nov 06 2013     20:49:33     603107                         L2TP Tunnel deleted, tunnel_id = 18, remote_peer_ip = 192.168.0.1

6     Nov 06 2013     20:49:33     603106                         L2TP Tunnel created, tunnel_id is 18, remote_peer_ip is 192.168.0.1

4     Nov 06 2013     20:49:33     737013                         IPAA: Error freeing address 0.0.0.0, not found

6     Nov 06 2013     20:49:33     113015                         AAA user authentication Rejected : reason = Invalid password : local database : user = chris

6     Nov 06 2013     20:49:33     302015     192.168.0.1     42307     192.168.0.100     1701     Built inbound UDP connection 4730 for outside:192.168.0.1/42307 (192.168.0.1/42307) to identity:192.168.0.100/1701 (192.168.0.100/1701)

5     Nov 06 2013     20:49:32     713120                         Group = DefaultRAGroup, IP = 192.168.0.1, PHASE 2 COMPLETED (msgid=caaa74cb)

6     Nov 06 2013     20:49:32     602303                         IPSEC: An inbound remote access SA (SPI= 0x384D5B3D) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been created.

5     Nov 06 2013     20:49:32     713049                         Group = DefaultRAGroup, IP = 192.168.0.1, Security negotiation complete for User ()  Responder, Inbound SPI = 0x384d5b3d, Outbound SPI = 0x00d4c9b6

6     Nov 06 2013     20:49:32     602303                         IPSEC: An outbound remote access SA (SPI= 0x00D4C9B6) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been created.

5     Nov 06 2013     20:49:32     713076                         Group = DefaultRAGroup, IP = 192.168.0.1, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs

5     Nov 06 2013     20:49:31     713119                         Group = DefaultRAGroup, IP = 192.168.0.1, PHASE 1 COMPLETED

6     Nov 06 2013     20:49:31     113009                         AAA retrieved default group policy (l2tp-ipsec_policy) for user = DefaultRAGroup

6     Nov 06 2013     20:49:31     713172                         Group = DefaultRAGroup, IP = 192.168.0.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

My user/password are correct though.

Any idea why it could fail ?

Thank you.

bhagat_parth Wed, 11/13/2013 - 08:12

Hey guys,

I got it(IPsec over NATt or say ikev1) working this morning with Cisco ASA 5505 v9.1 & Samsung Galaxy S4(unrooted).

Basically, there is some unknown issue with built-in VPN module of most of these Android phones.

Try using 3rd party mobile apps such as vpncilla etc, it works like charm.

group-policy Android internal

group-policy Android attributes

dns-server value x.x.x.x x.x.x.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_ACL

default-domain value vpn.yourdomain.com

tunnel-group Android type remote-access

tunnel-group Android general-attributes

address-pool Remote_access

authentication-server-group yourTACACS (alternatively can use local auth)

default-group-policy Android

tunnel-group Android ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group Android ppp-attributes

authentication ms-chap-v2

Hope this works for you!

HTH

Actions

Login or Register to take actions

This Document

Posted August 6, 2011 at 3:21 PM
Stats:
Comments:15 Avg. Rating:5
Views:40845 Contributors:7
Shares:0
Categories: ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5