Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa and android. l2tp and ipsec

Hello

I have android 2.3.7  and asa825-13-k8.bin. I try to setup ipsec with psk.  I used this tutorial:

https://supportforums.cisco.com/docs/DOC-17798

Phase 1 and 2 seems to be ok but i have problem with radius. It seems that he doesn't work, i think there is no request sent from asa to radius. When i use the same radius with "normal, pure ipsec" client it's ok. There is some limit ?  There is some way to setup many group policy with ipsec psk ? Thanks for help

It's my conf from radius:

asa:

show running-config all | begin tunnel-group DefaultRA

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool l2tp-ipsec_address

no ipv6-address-pool

authentication-server-group radiusek

secondary-authentication-server-group none

no accounting-server-group

default-group-policy l2tp-ipsec_policy

no dhcp-server

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultRAGroup webvpn-attributes

customization DfltCustomization

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication xauth

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

authentication ms-chap-v2

no authentication eap-proxy

radius with motp:

lolo

        Secret = f037dacbecbda0da,

        PIN = 5555,

        Offset = 0,

        CVPN3000-IETF-Radius-Class := "storage"

or

lolo

        Secret = f037dacbecbda0da,

        PIN = 5555,

        Offset = 0,

and my logs:

Nov 23 20:36:24 masterASA Group = DefaultRAGroup, IP = 89.72.38.13, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

Nov 23 20:36:24 masterASA AAA retrieved default group policy (l2tp-ipsec_policy) for user = DefaultRAGroup

Nov 23 20:36:24 masterASA Group = DefaultRAGroup, IP = 89.72.38.13, PHASE 1 COMPLETED

Nov 23 20:36:24 masterASA IP = 89.72.38.13, Keep-alives configured on but peer does not support keep-alives (type = None)

Nov 23 20:36:25 masterASA Group = DefaultRAGroup, IP = 89.72.38.13, Security negotiation complete for User ()  Responder, Inbound SPI = 0x12a70999, Outbound SPI = 0x06e5bc21

Nov 23 20:36:25 masterASA IPSEC: An outbound remote access SA (SPI= 0x06E5BC21) between 17.24.64.182 and 89.72.38.13 (user= DefaultRAGroup) has been created.

Nov 23 20:36:25 masterASA IPSEC: An inbound remote access SA (SPI= 0x12A70999) between 17.24.64.182 and 89.72.38.13 (user= DefaultRAGroup) has been created.

Nov 23 20:36:25 masterASA Group = DefaultRAGroup, IP = 89.72.38.13, PHASE 2 COMPLETED (msgid=a5df4a8f)

Nov 23 20:36:26 masterASA AAA user authentication Rejected : reason = AAA failure : server = 10.62.1.10 : user = lolo

Nov 23 20:36:26 masterASA IPAA: Error freeing address 0.0.0.0, not found

Nov 23 20:36:27 masterASA L2TP Tunnel created, tunnel_id is 6, remote_peer_ip is 89.72.38.13

ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0

username is lolo

Nov 23 20:36:27 masterASA L2TP Tunnel deleted, tunnel_id = 6, remote_peer_ip = 89.72.38.13

Nov 23 20:36:27 masterASA IPSEC: An outbound remote access SA (SPI= 0x06E5BC21) between 17.24.64.182 and 89.72.38.13 (user= DefaultRAGroup) has been deleted.

Nov 23 20:36:27 masterASA IPSEC: An inbound remote access SA (SPI= 0x12A70999) between 17.24.64.182 and 89.72.38.13 (user= DefaultRAGroup) has been deleted.

Nov 23 20:36:27 masterASA Group = DefaultRAGroup, IP = 89.72.38.13, Session is being torn down. Reason: L2TP initiated

Nov 23 20:36:27 masterASA Group = DefaultRAGroup, Username = , IP = 89.72.38.13, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 813, Bytes rcv: 766, Reason: L2TP initiated

Nov 23 20:36:46 masterASA 5211 in use, 6827 most used

955
Views
0
Helpful
0
Replies