This deployment guide explains the configuration of the Cisco IOS
® VPN Integrated Services Router Generation 2 (ISR G2) head-end router for use with native VPN clients of Microsoft Windows Mobile and Android devices. This guide assumes that the basic Cisco IOS VPN head-end configuration is in place. The configurations discussed here include any network-related settings, such as inside and outside interface assignments, IP address configuration, hostname, domain, and default routes. Configurations are shown using the Cisco
® command-line interface (CLI).
As shown in Figure 1, a smartphone user (using an Android or Windows Mobile device) can use the built-in VPN client or native VPN client of the device and terminate the secure, encrypted VPN tunnels on the Cisco ISR G2 router. Thus, Cisco IOS VPN effectively serves as a single point of convergence for multiple smartphones.
Figure 1. VPN Termination from Smartphone to Cisco ISR G2 Router
This deployment guide has two main parts:
• Part 1 discusses the configurations required on Cisco IOS VPN head-end routers to support Android and Windows Mobile. Note that both Windows Mobile and Android use native Layer 2 Tunnel Protocol (L2TP) and IP Security (IPsec) for connectivity. Windows Mobile works with both the preshared key (PSK) and public key infrastructure (PKI) options, but Android works only with PSK. Android cannot yet use L2TP or IPsec with PKI.
• Part 2 consists of Appendixes A and B, which discuss manual installation of VPN settings on Windows Mobile and Android devices.
Part 1: Cisco IOS VPN Head-End Configuration
Following are the steps to configure the VPN gateway to work with Android and Windows Mobile devices. Authentication is based on PKI and certificates either from a Microsoft or Cisco IOS Software certificate authority (CA). This document assumes a Microsoft CA.
Table 1 lists the high-level steps required to configure Cisco IOS Software to support Android and Windows Mobile devices.
Table 1. Steps for Configuring Cisco IOS Software Android and Windows Mobile Devices
Define authentication, authorization, and accounting (AAA) settings.
Define the PKI trustpoint.
Authenticate and enroll with the CA.
Define L2TP settings.
Define Internet Security Association and Key Management Protocol (ISAKMP) policy.
Define a pool from which the client is assigned an IP address.
Define the username and password for the L2TP user.
Define the transform set.
Define the IPsec profile.
Define the virtual template.
Step 1: Define AAA Settings
This step defines the AAA settings. Here, local is used as the default method of authentication and authorization. You could also set up your IT AAA account here.
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
Step 2: Define the PKI Trustpoint
This step defines the PKI trustpoint and the CA server to be used. Because of some strict requirements set by the device operating systems, some of the settings shown here are mandatory.
This step helps ensure that the router uses the Simple Certificate Enrollment Protocol (SCEP) enrollment process, so you need a Microsoft CA with an SCEP client.
crypto pki authenticate
<CA server name>
crypto pki enroll
<CA server name>
Step 4: Define L2TP Settings
Define L2TP settings as shown here. Define a virtual template (template 10 here) and use the same virtual template later.
source-ip <IP address of WAN Interface>
source vpdn-template 10
l2tp security crypto-profile l2tp keep-sa
l2tp tunnel hello 15
no l2tp tunnel authentication
l2tp tunnel timeout no-session 5000
Step 5: Define ISAKMP Policy
This step defines ISAKMP policy and settings. Windows Mobile can use PKI policy: for example, policy 2. Android cannot yet use PKI. PSK-based policies (such as policies 5 and 7, shown here) can be used by both Windows Mobile and Android devices.
crypto isakmp policy 2
crypto isakmp policy 5
crypto isakmp policy 7
Create the ISAKMP pre-shared key using below command. Note below we are using test as the PSK
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 30
Step 6: Define a Pool from Which the Client Is Assigned an IP Address
This step defines the pool used to assign an IP address to the client.
ip local pool l2tp-pool <
Step 7: Define the Username and Password for the L2TP User
Define the username and password for the user. You can also use AAA for this task.
This profile links all transform sets under a single profile.
crypto map l2tpsec 10 ipsec-isakmp profile l2tp
set transform-set t3 t4 t1
Step 10: Define the Virtual Template
This step associates the physical interface with the virtual interface and applies the IPsec profile to the virtual interface.
<WAN interface>(i.e. Fa4 etc)
ip mtu 1400
ip tcp adjust-mss 1200
peer default ip address pool l2tp-pool
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2
ppp timeout idle <define time out>
no ip dhcp client request tftp-server-address
ip address dhcp
crypto map l2tpsec
Note: If you are using Loopback 1 as the WAN interface here, the configuration would be:
ip address <
routable WAN IP><
Part 2: Appendixes
This section describes the step-by-step installation and management of VPN settings on mobile phones, including VPN policy, VPN settings, and VPN connectivity.
Appendix A: Windows Mobile Manual Step-by-Step VPN Configuration with Certificates
Note that these steps are for a Microsoft Windows Mobile Professional device. Some steps may vary from platform to platform.
1. From the Microsoft website, install Windows Mobile Device Center for Windows Vista or Windows 7, or install Microsoft ActiveSync for Windows XP. Microsoft ActiveSync 4.5.0 was used for testing. You can also use any other tool that can synchronize certificates from your device to your computer.
2. Connect your Windows Mobile device to the PC using the USB cable provided.
3. Upgrade your Windows Mobile software, if needed, using iTunes.
4. Request a certificate for the phone from RA-CA-SERVER at IP of CA server>/certsrv.
5. Install the certificate on your local computer.
6. Export the certificate.
a. For Export the Private Keys, click Yes.
b. Select Include All the Certificates in the Certification Path If Possible.
c. Type a password.
d. Provide a name for the certificate, such as Winmobile.p12. Complete the export. The certificate is exported to the desktop.
e. Push this certificate from your local machine to your phone. Check your IT policy to email the certificate to yourself and open it on your phone, or use the Windows Mobile Device Center to push the certificate to your phone.
7. After the certificate has been installed on your device, you need to be sure that the network configuration is correctly defined on the phone. If the main connection is not configured as an Internet connection, but instead is configured as a work connection, the device will not dial the VPN.
a. Choose Start > Settings > Connections > Connections. You should see two connections listed: My ISP and My Work Network. If you do not see these connections listed, choose Start > Settings > Connections > Connections > Advanced > Select Networks and make sure that you have two networks defined: an internal network called My ISP and an intranet network called My Work Network.
b. You can add exceptions under Start > Settings > Connections > Connections > Advanced > Exceptions - Add URL. You can add *.*/* to launch VPN when browsing to any website. You can customize this option based on your domain name: for example, *. cisco.com. VPN will be launched on demand only when you browse to any website ending with cisco.com.
8. Define the L2TP and IPsec settings.
a. Choose Start > Settings > Connectivity > Edit my VPN Settings > Add New.
b. Define the name and hostname. Specify the IP address of the VPN gateway and VPN Type = l2tp/ipsec.
c. Choose the authentication mechanism. Select Certificate Based (you can also choose PSK if you want to use the test key defined in the sample configuration here).
d. Define the username and password from your AAA configuration. Specify cisco/cisco as shown in the sample configuration here.
e. Click Finish to save the VPN profile.
f. To connect to VPN using this profile, select this VPN profile and click Connect.
Appendix B: Android Manual Step-by-Step VPN Configuration with PSK
c. Set IPSec Pre-Shared Key: Define the key here; the sample configurations here used test.
d. Enable L2TP Secret: Keep this option disabled.
e. DNS Search Domains: Do not set this option.
3. Save this profile. Try connecting to this profile. Upon connection, you will be prompted for the username and password. Choose cisco/cisco based on the configuration set up here. If you use an AAA server, make sure to use those credentials. Your VPN should connect using this VPN profile.