Guest

Cisco ASA 5500 Series Next Generation Firewalls

ASA and Native L2TP-IPSec Android Client Configuration Example

Hierarchical Navigation

Document ID: 113572

Updated: Jun 28, 2012

Contributed by Atri Basu and Rahul Govindan, Cisco TAC Engineers.

   Download PDF
   Print

Introduction

L2TP over IPSec provides the capability to deploy and administer an L2TP VPN solution alongside the IPSec VPN and firewall services in a single platform. The primary benefit of the configuration of L2TP over IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. This document provides a sample configuration for the native l2tp-IPSec Android client. It takes you through all the necessary commands required on the ASA, as well as the steps to be taken on the Android device itself.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Android L2TP/IPSec requires ASA version 8.2.5 or later, 8.3.2.12 or later, 8.4.1 or later.

  • ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.

  • Licensing Requirements for L2TP over IPsec

Components Used

The information in this document is based on ASA version 8.2.5 or later, 8.3.2.12 or later, 8.4.1 or later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

How do I configure the Native L2TP-IPSec Android client to work with an ASA?

This section describes the information you need to configure the features described in this document.

Configure

Configure the L2TP/IPSec Connection on the Android

Complete these steps in order to configure the L2TP/IPSec connection on the Android:

  1. Open the menu, and choose Settings.

  2. Choose Wireless and Network or Wireless Controls. (The available option depends on your version of Android.)

  3. Choose VPN Settings.

  4. Choose Add VPN.

  5. Choose Add L2TP/IPsec PSK VPN.

  6. Choose VPN Name, and enter a descriptive name.

  7. Choose Set VPN Server, and enter a descriptive name.

  8. Choose Set IPSec pre-shared key.

  9. Uncheck Enable L2TP secret.

  10. Open the menu, and choose Save.

Configure the L2TP/IPSec connection on ASA

These are the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol:

  • IKEv1 phase 1—3DES encryption with SHA1 hash method

  • IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method

  • PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred)

  • Pre-shared key

Note: The ASA supports only the PPP authentications PAP and Microsoft CHAP, versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user will be unable to connect. Furthermore, Android does not support PAP, and since LDAP does not support MS CHAP, LDAP is not a viable authentication mechanism. The only way around this is to use Radius. You can refer to Cisco bug CSCtw58945 (registered customers only) for details regarding issues with MS CHAP and LDAP.

Complete these steps in order to configure the L2TP/IPSec connection on ASA:

  1. Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.

  2. Create an internal group-policy.

    1. Define the tunnel protocol to be l2tp-ipsec.

    2. Configure a DNS server to be used by the clients.

  3. Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup. (New tunnel group can be used if IPSec identifier is set as group-name on the phone; see step 10 for the phone configuration.)

  4. Define the general attributes of the tunnel group that are used.

    1. Map the defined group policy to this tunnel group.

    2. Map the defined address pool to be used by this tunnel group.

    3. Modify the authentication-server group if you want to use something other than LOCAL.

  5. Define the pre-shared key under the IPSec attributes of the tunnel group to be used.

  6. Modify the ppp attributes of the tunnel group that are used so that only chap, ms-chap-v1 and ms-chap v2 are used.

  7. Create a transform set with a specific ESP encryption type and authentication type.

  8. Instruct IPSec to use transport mode rather than tunnel mode.

  9. Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.

  10. Create a dynamic crypto map, and map it to a crypto map.

  11. Apply the crypto map to an interface.

  12. Enable ISAKMP on that interface.

Configurations

This example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:

ASA 8.2.5 or Later Configuration Example 
Username <name> password <passwd> mschap
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
            dns-server value <dns_server>
            vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
            default-group-policy l2tp-ipsec_policy
            address-pool l2tp-ipsec_address
tunnel-group DefaultRAGroup ipsec-attributes
            pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
            no authentication pap
            authentication chap
            authentication ms-chap-v1
            authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans                      
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
            authentication pre-share
            encryption 3des
            hash sha
            group 2
            lifetime 86400

ASA 8.3.2.12 or Later Configuration Example 
Username <name> password <passwd> mschap
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
            dns-server value <dns_server>
            vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
            default-group-policy l2tp-ipsec_policy
            address-pool l2tp-ipsec_addresses
tunnel-group DefaultRAGroup ipsec-attributes
            pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
            no authentication pap
            authentication chap
            authentication ms-chap-v1
            authentication ms-chap-v2
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
            authentication pre-share
            encryption 3des
            hash sha
            group 2
            lifetime 86400

Verify

Connect

  1. Open the menu, and choose Settings.

  2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.)

  3. Select the VPN configuration from the list.

  4. Enter your username and password.

  5. Select Remember username.

  6. Select Connect.

Disconnect

  1. Open the menu, and choose Settings.

  2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.)

  3. Select the VPN configuration from the list.

  4. Select Disconnect.

Confirm

Use these commands to confirm that your connection works properly.

  • show run crypto isakmp—For ASA version 8.2.5

  • show run crypto ikev1—For ASA version 8.3.2.12 or later

  • show vpn-sessiondb ra-ikev1-ipsec—For ASA version 8.3.2.12 or later

  • show vpn-sessiondb remote—For ASA version 8.2.5

Known Caveats

  • CSCtq21535  (registered customers only) —ASA traceback when connecting with Android L2TP/IPsec client

  • CSCtj57256 (registered customers only) —L2TP/IPSec connection from Android doesn't establish to the ASA55xx

  • CSCtw58945 (registered customers only) —L2TP over IPSec connections fail with ldap authorization and mschapv2

Related Information

Updated: Jun 28, 2012
Document ID: 113572