Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 3.0.x
Configuring a VPN Connection
Downloads: This chapterpdf (PDF - 1.16MB) The complete bookPDF (PDF - 2.23MB) | The complete bookePub (ePub - 291.0KB) | The complete bookMobi (Mobi - 465.0KB) | Feedback

Configuring a VPN Connection

Configuring a VPN Connection

Configure a VPN Connection

AnyConnect requires the following to establish VPN connectivity:

  • An address to a secure gateway for access to your network.

    This address is configured in a connection entry. Connection entries are listed on the AnyConnect home screen. The active connection entry is identified on the AnyConnect home screen or in the Connections list. VPN connection entries are configured on your device automatically or manually.

  • Authentication information to successfully complete your connection.

    This will be in the form of a username and password you must remember, or it will be contained in a digital certificate that has been configured on your device. For some VPN connections, both authentication methods may be required. Digital certificates are configured on your device automatically or manually.

Configure your AnyConnect client as directed by your administrator. Your administrator provides you with procedures to automate the configuration of connection entries and digital certificates, or appropriate information to manually configure these entities. Contact your administrator if you do not have clear instructions.

Configure Connection Entries

A connection entry specifies a secure gateway that provides access to your private network, as well as other connection attributes.

Procedure
Connection entries are configured on your device automatically or manually in the following ways:
  • Manually configured.

    You must know the address of the secure gateway to your network. The address is the domain name or the IP address of the secure gateway, and it may also specify a group that you belong to. Other connection attributes can also configured. See Add or Modify Connection Entries Manually.

  • Configured by your enterprises' Mobile Device Management software. Device management profiles may be found on your device under the General Settings.
  • Automatically configured by clicking on a link provided by your administrator to configure an AnyConnect connection entry.

    The link may be included in an email or published on a web page. The application preference External Control must be set to either Prompt or Enable to allow this on your device. See Control the External Use of AnyConnect

  • Automatically configured after connecting to a secure gateway that downloads an AnyConnect client profile containing connection entries. See Managing the AnyConnect Client Profile.


Adding Connection Entries Manually

Add a VPN connection entry to identify the VPN secure gateway to which you want to connect.

Procedure
    Step 1   From the AnyConnect home window, tap Add New VPN Connection to open the connection editor.

    Cancel out of the connection editor at any time.

    Step 2   (Optional)Choose Description to enter a descriptive name for the connection entry.

    Enter a unique name for this connection entry. If not specified, the Server Address is used as the default. Use any letters, spaces, numbers, or symbols on the keyboard display. This field is case-sensitive.

    Step 3   Choose Server Address to enter the address of the secure gateway.

    Enter the domain name or IP address of the secure gateway, including a group if specified by your administrator.

    Step 4   (Optional)Tap Advanced Preferences to change advanced certificate and protocol settings.

    Cancel out of the Advanced Connection Editor window at any time.

    Step 5   (Optional)Tap Certificate to specify how user certificates are used for this connection.
    • Tap Disabled to specify that certificates will not be used for this connection.
    • Tap Automatic to specify that a certificate will be used to establish a connection only if it is required by the secure gateway.
    • Tap the certificate that your administrator instructs you to use.

    Your administrator will provide you with instructions for installing a user certificate on your mobile device if one is necessary to establish a VPN session. Tap any certificate in the list to view its details.

    Step 6   (Optional)Tap Connect with IPsec to use IPsec instead of SSL for this VPN connection.

    This connection attribute is provided to you by your administrator.

    The Authentication parameter becomes active if you choose IPsec for your VPN connection protocol.

    Step 7   (Optional)Tap Authentication and choose the authentication method for this IPsec connection.

    This connection attribute is provided to you by your administrator.

    • EAP-AnyConnect (default authentication option)
    • IKE-RSA
    • EAP-GTC
    • EAP-MD5
    • EAP-MSCHAPv2

    Your authentication option is shown in the Advanced Connection Editor window.

    Step 8   (Optional)If you have specified EAP-GTC, EAP-MD5, or EAP-MSCHAPv2 to be used for authentication, tap IKE Identity to enter the identity information given to you by your administrator.
    Step 9   Tap Done in both the Advanced window and the Connection Editor window to save the connection values.

    AnyConnect adds the new connection entry.


    Modifying a Connection Entry

    Change a VPN connection entry to correct a configuration error or comply with an IT policy change.


    Note


    You cannot modify the description or server address of connection entries downloaded from a secure gateway.


    Procedure
      Step 1   From the AnyConnect home window, long-press the connection entry to display the Select Action window.
      Step 2   Tap Edit connection.

      The Connection Editor window displays the parameter values assigned to the connection entry.

      Step 3   Tap the value to be modified, use the on-screen keyboard to enter the new value, and tap OK.
      Step 4   Tap Done.

      AnyConnect saves the modified connection entry.


      Delete a Connection Entry

      This procedure deletes a manually configured VPN connection entry. The only way to remove a connection entry imported from a VPN secure gateway is to remove the downloaded AnyConnect profile that contains the connection entries.

      Procedure
        Step 1   From the AnyConnect home window, long-press the connection entry to display the Select Action window.
        Step 2   Tap Delete connection.

        Configure Certificates

        About Certificates on Your Android Device

        Certificates are used to digitally identify each end of the VPN connection: the secure gateway, or the server, and the AnyConnect client, or the user. A server certificate identifies the secure gateway to AnyConnect, and a user certificate identifies the AnyConnect user to the secure gateway. Certificates are obtained from and verified by Certificate Authorities (CAs).

        When establishing a connection, AnyConnect always expects a server certificate from the secure gateway. The secure gateway expects a certificate from AnyConnect only if it has been configured to do so. Expecting the AnyConnect user to manually enter credentials is another way to authenticate a VPN connection. In fact, the secure gateway can be configured to authenticate AnyConnect users with a digital certificate, with manually entered credentials, or with both. Certificate-only authentication allows VPNs to connect without user intervention.

        Distribution to and use of certificates by, the secure gateway and your device, are directed by your administrator. Follow directions provided by your administrator to import, use, and manage server and user certificates for AnyConnect VPNs. Information and procedures in this document related to certificates and certificate management are provided for your understanding and reference.

        AnyConnect stores both user and server certificates for authentication in its own certificate store on the Android device. The AnyConnect certificate store is managed from the Menu > Diagnostics > Certificate Management screen; you can also view Android System certificates here.

        About User Certificates

        In order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a user certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods, as directed by your administrator:
        • Imported automatically after clicking a hyperlink provided by your administrator in an email or on a web page.

        • Imported manually by you from the device's file system, from the device's credential storage, or from a network server.

        • Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.

        Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.

        You can delete user certificates from the AnyConnect store if they are no longer needed for authentication.

        About Server Certificates

        A server certificate received from the secure gateway during connection establishment automatically authenticates that server to AnyConnect, if and only if it is valid and trusted. Otherwise:

        • A valid, but untrusted server certificate can be reviewed, authorized, and imported to the AnyConnect certificate store. Once a server certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.

        • An invalid certificate cannot be imported into the AnyConnect store. It can be accepted to complete the current connection, but this is not recommended.

        Server certificates in the AnyConnect store can be deleted if they are no longer needed for authentication.

        Importing Certificates from Hyperlinks

        Your administrator will provide you with a hyperlink to install a certificate on your device.

        Before You Begin

        Set External Control to either Prompt or Enable within the AnyConnect settings.

        Procedure
          Step 1   Tap the hyperlink provided by your administrator.

          The link may be included in an email or published on an intranet web page.

          Step 2   If prompted, provide the authentication code for the certificate that was provided to you.

          The certificate is installed in the AnyConnect certificate store on your Android devce and can be viewed, assigned to a connection entry, or removed.


          Importing Certificates Manually

          The following explains all possible options for manually importing a user certificate to the AnyConnect store for VPN authentication purposes.

          Before You Begin

          Obtain the specific certificate import procedures from your administrator.

          Procedure
            Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
            Step 2   Tap the User tab.
            Step 3   Tap Import to import a certificate.
            Step 4   Select your import source:
            • Tap File System to import a certificate file from the local file system.
            • Tap Network Location (URI) to import a certificate from a server on the network.
            • Tap Device Credential Storage to link to a certificate currently in the Device Credential Storage.

              The source certificate is not actually copied into the AnyConnect certificate store. If the certificate is removed from Credential Storage, the link to the certificate will also be removed.

              Note   
              • This option is available only on devices running Android 4.0 (Ice Cream Sandwich) or later.

              • When attempting to import a certificate from the Device Credential Storage on Android 4.1 (Jelly Bean), the client shows the error message "This feature is not supported on this version of Android." Import the certificate directly into the AnyConnect store instead of using the Android native store.


            Importing Certificates Provided by a Secure Gateway

            Before You Begin

            Your administrator configures a secure gateway to enable the distribution of certificates and provides you with connection information to that secure gateway.

            Procedure
              Step 1   Open AnyConnect.
              Step 2   In the Choose a connection area, tap the name of the connection capable of downloading a certificate to your mobile device.
              Step 3   If present, tap Get Certificate, or select the group configured to download a certificate to your mobile device.
              Step 4   Enter authentication information provided by your administrator.

              The secure gateway downloads the certificate to your device. Your VPN session is disconnected, and you receive the message that certificate enrollment was successful.

              Viewing Certificates

              View user and server certificates that have been imported into the AnyConnect certificate store, and Android system certificates.

              Procedure
                Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
                Step 2   Tap the User or Server tab to view certificates in the AnyConnect certificate store.

                Long-press a certificate and tap:
                • View certificate details to see the contents of a certificate.

                • Delete certificate to remove this certificate from the AnyConnect store.

                Step 3   Tap the System tab to view certificates in the Android Credential Storage.

                Long-press a certificate and tap View certificate details to see the contents of a certificate.


                Removing Certificates

                Remove certificates from the AnyConnect certificate store only; certificates in the System certificate store cannot be removed.

                Certificates are deleted individually or cleared from the AnyConnect certificate store all at once.

                Deleting a Single Certificate

                Procedure
                  Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
                  Step 2   Tap the User or Server tab to display user or server certificates in the AnyConnect certificate store.
                  Step 3   Long-press a certificate.

                  The Certificate Options display.

                  Step 4   Choose Delete certificate and confirm that you want to delete this particular certificate.

                  Clearing All Certificates

                  Procedure
                    Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
                    Step 2   Tap the User or Server tab to display user or server certificates in the AnyConnect certificate store.
                    Step 3   Tap Clear All to remove all certificates from the AnyConnect certificate store.