Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 3.0.x
Configuring a VPN Connection
Downloads: This chapterpdf (PDF - 1.15MB) The complete bookPDF (PDF - 2.29MB) | The complete bookePub (ePub - 299.0KB) | Feedback

Configuring a VPN Connection

Configuring a VPN Connection

Overview of AnyConnect Configuration

AnyConnect requires the following to establish VPN connectivity:

  • An address to a secure gateway for access to your network. This address is configured in a connection entry. Connection entries are listed on the AnyConnect home screen. The active connection entry is identified in the AnyConnect VPN panel on the app's home screen. VPN connection entries are configured on your device automatically or manually.
  • Authentication information to successfully complete your connection. This will be in the form of a username and password you must remember, or it will be contained in a digital certificate that has been configured on your device. For some VPN connections, both authentication methods may be required. Digital certificates are configured on your device automatically or manually.

Configure your AnyConnect client as directed by your administrator. Your administrator provides you with procedures to automate the configuration of connection entries and digital certificates, or appropriate information to manually configure these entities. Contact your administrator if you do not have clear instructions.

Related Concepts

Configuring Connection Entries

Adding Connection Entries

A connection entry specifies a secure gateway that provides access to your private network, as well as other connection attributes.

Procedure
Connection entries are configured on your device automatically or manually in the following ways:
  • By clicking on a link provided by your administrator to configure a connection entry.

    The link may be included in an e-mail or published on a web page. The application preference External Control must be set to either Prompt or Enable to allow this on your device. See Controlling External Use of AnyConnect

  • After connecting to a secure gateway that is configured to download an AnyConnect client profile containing connection entries. See Managing the AnyConnect VPN Profile.
  • Manually configured.

    You must know the address of the secure gateway to your network. The address is the domain name or the IP address of the secure gateway and it may also specify a group that you belong to. Other connection attributes can also configured. See Adding Connection Entries Manually.


Adding Connection Entries Manually

Add a VPN connection entry to identify the VPN secure gateway to which you want to connect.

Procedure
    Step 1   From the AnyConnect home window, tap Add new VPN Connection to open the Connection Editor.

    Cancel out of the Connection Editor window at any time.

    Step 2   (Optional)Choose Description to enter a descriptive name for the connection entry.

    Enter a unique name for this connection entry. If not specified, the Server Address is used as the default. Use any letters, spaces, numbers, or symbols on the keyboard display. This field is case-sensitive.

    Step 3   Choose Server Address to enter the address of the secure gateway.

    Enter the domain name or IP address of the secure gateway, including a group if specified by your administrator.

    Step 4   (Optional)Tap Advanced Preferencesto change advanced certificate and protocol settings.

    Cancel out of the Advanced Connection Editor window at any time.

    Step 5   (Optional)Tap Certificate to specify how user certificates are used for this connection.
    • Tap Disabled to specify that certificates will not be used for this connection.
    • Tap Automatic to specify that a certificate will be used to establish a connection only if it is required by the secure gateway.
    • Tap the certificate that your administrator instructs you to use.

    Your administrator will provide you with instructions for installing a user certificate on your mobile device if one is necessary to establish a VPN session. Tap any certificate in the list to view its details.

    Step 6   (Optional)Tap Connect with IPsec to use IPsec instead of SSL for this VPN connection.

    This connection attribute is provided to you by your administrator.

    The Authentication parameter becomes active if you choose IPsec for your VPN connection protocol.

    Step 7   (Optional)Tap Authentication and choose the authentication method for this IPsec connection.

    This connection attribute is provided to you by your administrator.

    • EAP-AnyConnect (default authentication option)
    • IKE-RSA
    • EAP-GTC
    • EAP-MD5
    • EAP-MSCHAPv2

    Your authentication option is shown in the Advanced Connection Editor window.

    Step 8   (Optional)If you have specified EAP-GTC, EAP-MD5, or EAP-MSCHAPv2 to be used for authentication, tap IKE Identity to enter the identity information given to you by your administrator.
    Step 9   Tap Done in both the Advanced Connection Editor window and the Connection Editor window to save the connection values.

    AnyConnect adds the new connection entry to the list in the home window.


    Modifying a Connection Entry

    Change a VPN connection entry to correct a configuration error or comply with an IT policy change.


    Note


    You cannot modify the description or server address of connection entries downloaded from a secure gateway.


    Procedure
      Step 1   From the AnyConnect home window, long-press the VPN connection entry to be modified.

      AnyConnect displays the Select Action window.

      Step 2   Tap Edit connection.

      The Connection Editor window displays the parameter values assigned to the connection entry.

      Step 3   Tap the value to be modified, use the on-screen keyboard to enter the new value, and tap OK.
      Step 4   Tap Done.

      AnyConnect saves the modified connection entry and reopens the AnyConnect home window.


      Deleting a Connection Entry

      This procedure deletes a manually configured VPN connection entry. The only way to remove a connection entry imported from a VPN secure gateway is to remove the downloaded AnyConnect profile that contains the connection entries.

      Procedure
        Step 1   From the AnyConnect home window, long-press the connection entry to display the Select Action window.
        Step 2   Tap Delete connection.

        About User Certificates

        In order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a user certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods, as directed by your administrator:
        • Imported automatically after clicking a hyperlink provided by your administrator in an e-mail or on a web page.
        • Imported manually by you from the device's file system, from the device's credential storage, or from a network server.
        • Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.

        Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.

        You can delete user certificates from the AnyConnect store if they are no longer needed for authentication.

        Importing Certificates from Hyperlinks

        Your administrator will provide you with a hyperlink to install a certificate on your device.

        Before You Begin

        Set External Control to either Prompt or Enable within the AnyConnect settings.

        Procedure
          Step 1   Tap the hyperlink provided by your administrator.

          The link may be included in an e-mail or published on an intranet web page.

          Step 2   If prompted, provide the authentication code for the certificate that was provided to you.

          The certificate is installed in the AnyConnect certificate store on your Android devce and can be viewed, assigned to a connection entry, or removed.


          Related Concepts

          Importing Certificates Manually

          The following explains all possible options for manually importing a user certificate to the AnyConnect store for VPN authentication purposes.

          Before You Begin

          Obtain the specific certificate import procedures from your adinistrator.

          Procedure
            Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
            Step 2   Tap the User tab.
            Step 3   Tap Import to import a certificate.
            Step 4   Select your import source:
            • Tap File System to import a certificate file from the local file system.
            • Tap Network Location (URI) to import a certificate from a server on the network.
            • Tap Device Credential Storage to link to a certificate currently in the Device Credential Storage.

              The source certificate is not actually copied into the AnyConnect certificate store. If the certificate is removed from Credential Storage, the link to the certificate will also be removed.

              Note   
              • This option is available only on devices running Android 4.0 (Ice Cream Sandwich) or later.
              • When attempting to import a certificate from the Device Credential Storage on Android 4.1 (Jelly Bean), the client shows the error message "This feature is not supported on this version of Android". Import the certificate directly into the AnyConnect store instead of using the Android native store.


            Related Concepts

            Importing Certificates Provided by a Secure Gateway

            Before You Begin

            Your administrator configures a secure gateway to enable the distribution of certificates and provides you with connection information to that secure gateway.

            Procedure
              Step 1   Open AnyConnect.
              Step 2   In the Choose a connection area, tap the name of the connection capable of downloading a certificate to your mobile device.
              Step 3   If present, tap Get Certificate, or select the group configured to download a certificate to your mobile device.
              Step 4   Enter authentication information provided by your administrator.

              The secure gateway downloads the certificate to your device. Your VPN session is disconnected, and you receive the message that certificate enrollment was successful.

              Related Concepts