Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 3.0.x
Configuring a VPN Connection
Download this chapter
Configuring a VPN ConnectionConfiguring a VPN Connection
Download the complete book
Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 3.0.xAndroid User Guide for Cisco AnyConnect Secure Mobility Client, Release 3.0.x (PDF - 2 MB)
 Feedback

Configuring a VPN Connection

Overview of AnyConnect Configuration

AnyConnect requires the following information for configuring VPN connectivity:

  • An address to a secure gateway for access to your network.
  • Authentication information to successfully complete your connection, in the form of a username and password, a digital certificate, or both.

Configure your AnyConnect client as directed by your administrator; contact your administrator if you do not have clear instructions. Your administrator provides you with one of the following:

  • Addressing and authentication information, and other connection attributes if needed, to manually configure your device.
  • Procedures to automate configuration using this information.

You, the AnyConnect user, should be familiar with:

  • Connection entries: VPN connections configured on your device. These are configured manually or automatically and are listed on the AnyConnect home screen. The current active connection entry is identified in the AnyConnect VPN panel on the app's home screen.
  • How to establish a VPN connection: you can do this manually by tapping the connection entry in the connection list, or by tapping the checkbox or slider in the AnyConnect VPN panel. VPN connections can also be made automatically using procedures provided by your administrator.
  • The authentication method used to establish a connection: this may mean remembering your username and password or importing and assigning a user certificate to a connection entry.
AnyConnect is a sophisticated networking application that also allows you to carry out the following activities:
  • Set preferences for the application, controlling the appearance and operation of AnyConnect.
  • Use diagnostic tools and management facilities on your device as recommended by your administrator.
Related Concepts

About AnyConnect Connection Entries

A connection entry specifies a secure gateway that is accessible to this device, as well as other connection attributes. Connection entries are configured in the following ways:

  • Added automatically: After clicking a link provided by your administrator to configure connection entries.
  • Manually configured: You must know the address of the secure gateway to your network. The address is the domain name or the IP address of the secure gateway; it may also specify a group that you are connecting to.

Connection entries are also defined in an AnyConnect client profile that is downloaded from a Cisco ASA secure gateway upon connectivity.

Related Concepts
Related Tasks

Adding Connection Entries from Hyperlinks

Your administrator will provide you with a hyperlink to add a connection entry.

Before You Begin

Set External Control to either Prompt or Enable within the AnyConnect settings.

Procedure
Tap the hyperlink provided by your administrator.

The link may be included in an e-mail or published on an intranet web page.

The connection entry is added to your list of connections on the AnyConnect home window.


Related Concepts

Adding Connection Entries Manually

Add a VPN connection entry to identify the VPN secure gateway to which you want to connect.

Procedure
    Step 1   From the AnyConnect home window, tap Add new VPN Connection to open the Connection Editor.

    Cancel out of the Connection Editor window at any time.

    Step 2   (Optional)Choose Description to enter a descriptive name for the connection entry.

    Enter a unique name for this connection entry. If not specified, the Server Address is used as the default. Use any letters, spaces, numbers, or symbols on the keyboard display. This field is case-sensitive.

    Step 3   Choose Server Address to enter the address of the secure gateway.

    Enter the domain name or IP address of the secure gateway, including a group if specified by your administrator.

    Step 4   (Optional)Tap Advanced Preferencesto change advanced certificate and protocol settings.

    Cancel out of the Advanced Connection Editor window at any time.

    Step 5   (Optional)Tap Certificate to specify how user certificates are used for this connection.
    • Tap Disabled to specify that certificates will not be used for this connection.
    • Tap Automatic to specify that a certificate will be used to establish a connection only if it is required by the secure gateway.
    • Tap the certificate that your administrator instructs you to use.

    Your administrator will provide you with instructions for installing a user certificate on your mobile device if one is necessary to establish a VPN session. Tap any certificate in the list to view its details.

    Step 6   (Optional)Tap Connect with IPsec to use IPsec instead of SSL for this VPN connection.

    This connection attribute is provided to you by your administrator.

    The Authentication parameter becomes active if you choose IPsec for your VPN connection protocol.

    Step 7   (Optional)Tap Authentication and choose the authentication method for this IPsec connection.

    This connection attribute is provided to you by your administrator.

    • EAP-AnyConnect (default authentication option)
    • IKE-RSA
    • EAP-GTC
    • EAP-MD5
    • EAP-MSCHAPv2

    Your authentication option is shown in the Advanced Connection Editor window.

    Step 8   (Optional)If you have specified EAP-GTC, EAP-MD5, or EAP-MSCHAPv2 to be used for authentication, tap IKE Identity to enter the identity information given to you by your administrator.
    Step 9   Tap Done in both the Advanced Connection Editor window and the Connection Editor window to save the connection values.

    AnyConnect adds the new connection entry to the list in the home window.

    Related Concepts
    Related Tasks

    About User Certificates

    In order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a user certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods, as directed by your administrator:
    • Imported automatically after clicking a hyperlink provided by your administrator in an e-mail or on a web page.
    • Imported manually by you from the device's file system, from the device's credential storage, or from a network server.
    • Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.

    Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.

    You can delete user certificates from the AnyConnect store if they are no longer needed for authentication.

    Related Concepts
    Related Tasks

    Importing Certificates from Hyperlinks

    Your administrator will provide you with a hyperlink to install a certificate on your device.

    Before You Begin

    Set External Control to either Prompt or Enable within the AnyConnect settings.

    Procedure
      Step 1   Tap the hyperlink provided by your administrator.

      The link may be included in an e-mail or published on an intranet web page.

      Step 2   If prompted, provide the authentication code for the certificate that was provided to you.

      The certificate is installed in the AnyConnect certificate store on your Android devce and can be viewed, assigned to a connection entry, or removed.

      Related Concepts

      Importing Certificates Manually

      The following explains all possible options for manually importing a user certificate to the AnyConnect store for VPN authentication purposes.

      Before You Begin

      Obtain the specific certificate import procedures from your adinistrator.

      Procedure
        Step 1   From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
        Step 2   Tap the User tab.
        Step 3   Tap Import to import a certificate.
        Step 4   Select your import source:
        • Tap File System to import a certificate file from the local file system.
        • Tap Network Location (URI) to import a certificate from a server on the network.
        • Tap Device Credential Storage to link to a certificate currently in the Device Credential Storage.

          The source certificate is not actually copied into the AnyConnect certificate store. If the certificate is removed from Credential Storage, the link to the certificate will also be removed.

          Note   
          • This option is available only on devices running Android 4.0 (Ice Cream Sandwich) or later.
          • When attempting to import a certificate from the Device Credential Storage on Android 4.1 (Jelly Bean), the client shows the error message "This feature is not supported on this version of Android". Import the certificate directly into the AnyConnect store instead of using the Android native store.

        Related Concepts

        Importing Certificates Provided by a Secure Gateway

        Before You Begin

        Your administrator configures a secure gateway to enable the distribution of certificates and provides you with connection information to that secure gateway.

        Procedure
          Step 1   Open AnyConnect.
          Step 2   In the Choose a connection area, tap the name of the connection capable of downloading a certificate to your mobile device.
          Step 3   If present, tap Get Certificate, or select the group configured to download a certificate to your mobile device.
          Step 4   Enter authentication information provided by your administrator.

          The secure gateway downloads the certificate to your device. Your VPN session is disconnected, and you receive the message that certificate enrollment was successful.

          Related Concepts