ASA and Native L2TP IPSec Android Client Configuration Example



Similar documents
Configuring L2TP over IPsec

Configuring L2TP over IPSec

Application Note: Onsight Device VPN Configuration V1.1

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

7.1. Remote Access Connection

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Understanding the Cisco VPN Client

How to configure VPN function on TP-LINK Routers

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

How to configure VPN function on TP-LINK Routers

Introduction to Security and PIX Firewall

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Case Study for Layer 3 Authentication and Encryption

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

How To Configure L2TP VPN Connection for MAC OS X client

REMOTE ACCESS VPN NETWORK DIAGRAM

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

VPN. VPN For BIPAC 741/743GE

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

TABLE OF CONTENTS NETWORK SECURITY 2...1

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Joe Davies Principal Writer Windows Server Documentation

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Virtual Private Network and Remote Access Setup

Behavioral Differences Regarding DNS Queries and Domain Name Resolution in Different OSs

VPN Configuration Guide. Cisco ASA 5500 Series

Cisco Which VPN Solution is Right for You?

Configuring GTA Firewalls for Remote Access

Table of Contents. Cisco Cisco VPN Client FAQ

Configuring the OfficeConnect Secure Gateway for a remote L2TP over IPSec connection

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

ASA Remote Access VPN with OCSP Verification under Microsoft Windows 2012 and OpenSSL

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Case Study - Configuration between NXC2500 and LDAP Server

IP Office Technical Tip

Lab a Configure Remote Access Using Cisco Easy VPN

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Implementing Cisco IOS Network Security

Firewalls. Outlines: By: Arash Habibi Lashkari July Network Security 06

Wireless Network Configuration Guide

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

VPN. Date: 4/15/2004 By: Heena Patel

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Common Remote Service Platform (crsp) Security Concept

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Nokia Mobile VPN How to configure Nokia Mobile VPN for Cisco ASA with PSK/xAuth authentication

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

(d-5273) CCIE Security v3.0 Written Exam Topics

SECURITY CONCERNS OF THE CISCO ASA USING MICROSOFT IAS RADIUS

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Virtual Private Network and Remote Access

Scenario: Remote-Access VPN Configuration

Scenario: IPsec Remote-Access VPN Configuration

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

VPN Tracker for Mac OS X

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

IPsec VPN Application Guide REV:

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Configuring Security Solutions

Configuring Remote Access IPSec VPNs

SSL SSL VPN

VPN SECURITY POLICIES

Securing Networks with Cisco Routers and Switches ( )

Chapter 8 Virtual Private Networking

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Network Security 1 Module 4 Trust and Identity Technology

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

For paid computer support call

Installation and Configuration Guide

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

Creating a VPN Using Windows 2003 Server and XP Professional

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

FortiOS Handbook IPsec VPN for FortiOS 5.0

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Implementing Core Cisco ASA Security (SASAC)

Configuring a VPN between a Sidewinder G2 and a NetScreen

Transcription:

ASA and Native L2TP IPSec Android Client Configuration Example Document ID: 113572 Contributed by Atri Basu and Rahul Govindan, Cisco TAC Engineers. Oct 29, 2013 Contents Introduction Prerequisites Requirements Components Used Configure Configure the L2TP/IPSec Connection on the Android Configure the L2TP/IPSec Connection on ASA Configuration File Commands for ASA Compatibility ASA 8.2.5 or Later Configuration Example ASA 8.3.2.12 or Later Configuration Example Verify Known Caveats Related Information Introduction Layer 2 Tunneling Protocol (L2TP) over IPSec provides the capability to deploy and administer an L2TP VPN solution alongside the IPSec VPN and firewall services in a single platform. The primary benefit of the configuration of L2TP over IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually any place with plain old telephone service (POTS). An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial Up Networking (DUN). No additional client software, such as the Cisco VPN client software, is required. This document provides a sample configuration for the native L2TP/IPSec Android client. It takes you through all the necessary commands required on a Cisco Adaptive Security Appliance (ASA), as well as the steps to be taken on the Android device itself. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on the following software and hardware versions:

Android L2TP/IPSec requires Cisco ASA software version 8.2.5 or later, version 8.3.2.12 or later, or version 8.4.1 or later. ASA supports Secure Hash Algorithm 2 (SHA2) certificate signature support for Microsoft Windows 7 and Android native VPN clients when the L2TP/IPSec protocol is used. See Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6: Configuring L2TP over IPSec: Licensing Requirements for L2TP over IPSec. The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Configure This section describes the information one would need in order to configure the features described in this document. Configure the L2TP/IPSec Connection on the Android This procedure describes how to configure the L2TP/IPSec connection on the Android: 2. Choose Wireless and Network or Wireless Controls. The available option depends on your version of Android. 3. Choose VPN Settings. 4. Choose Add VPN. 5. Choose Add L2TP/IPsec PSK VPN. 6. Choose VPN Name, and enter a descriptive name. 7. Choose Set VPN Server, and enter a descriptive name. 8. Choose Set IPSec pre shared key. 9. Uncheck Enable L2TP secret. 10. [Optional] Set the IPSec identifier as the ASA tunnel group name. No setting means it will fall into DefaultRAGroup on the ASA. 11. Open the menu, and choose Save. Configure the L2TP/IPSec Connection on ASA These are the required ASA Internet Key Exchange Version 1 (IKEv1) (Internet Security Association and Key Management Protocol [ISAKMP]) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA when L2TP over IPSec protocol is used: IKEv1 phase 1 Triple Data Encryption Standard (3DES) encryption with SHA1 hash method IPSec phase 2 3DES or Advanced Encryption Standard (AES) encryption with Message Digest 5 (MD5) or SHA hash method PPP Authentication Password Authentication Protocol (PAP), Microsoft Challenge Handshake Authentication Protocol version 1 (MS CHAPv1), or MS CHAPv2 (preferred) Pre shared key Note: The ASA supports only the PPP authentications PAP and MS CHAP (versions 1 and 2) on the local database. The Extensible Authentication Protocol (EAP) and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap proxy or authentication chap commands and if the ASA is configured to use the local database, that user will be unable to connect.

Furthermore, Android does not support PAP and, because Lightweight Directory Access Protocol (LDAP) does not support MS CHAP, LDAP is not a viable authentication mechanism. The only workaround is to use RADIUS. See Cisco Bug ID CSCtw58945, "L2TP over IPSec connections fail with ldap authorization and mschapv2," for further details on issues with MS CHAP and LDAP. This procedure describes how to configure the L2TP/IPSec connection on the ASA: 1. Define a local address pool or use a dhcp server for the adaptive security appliance in order to allocate IP addresses to the clients for the group policy. 2. Create an internal group policy. 1. Define the tunnel protocol to be l2tp ipsec. 2. Configure a domain name server (DNS) to be used by the clients. 3. Create a new tunnel group or modify the attributes of the existing DefaultRAGroup. (A new tunnel group can be used if the IPSec identifier is set as group name on the phone; see step 10 for the phone configuration.) 4. Define the general attributes of the tunnel group that are used. 1. Map the defined group policy to this tunnel group. 2. Map the defined address pool to be used by this tunnel group. 3. Modify the authentication server group if you want to use something other than LOCAL. 5. Define the pre shared key under the IPSec attributes of the tunnel group to be used. 6. Modify the PPP attributes of the tunnel group that are used so that only chap, ms chap v1 and ms chap v2 are used. 7. Create a transform set with a specific encapsulating security payload (ESP) encryption type and authentication type. 8. Instruct IPSec to use transport mode rather than tunnel mode. 9. Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method. 10. Create a dynamic crypto map, and map it to a crypto map. 11. Apply the crypto map to an interface. 12. Enable ISAKMP on that interface. Configuration File Commands for ASA Compatibility Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section. This example shows the configuration file commands that ensure ASA compatibility with a native VPN client on any operating system. ASA 8.2.5 or Later Configuration Example Username <name> password <passwd> mschap ip local pool l2tp ipsec_address 192.168.1.1 192.168.1.10 group policy l2tp ipsec_policy internal group policy l2tp ipsec_policy attributes dns server value <dns_server> vpn tunnel protocol l2tp ipsec tunnel group DefaultRAGroup general attributes default group policy l2tp ipsec_policy address pool l2tp ipsec_address tunnel group DefaultRAGroup ipsec attributes pre shared key * tunnel group DefaultRAGroup ppp attributes no authentication pap authentication chap authentication ms chap v1 authentication ms chap v2 crypto ipsec transform set trans esp 3des esp sha hmac

crypto ipsec transform set trans mode transport crypto dynamic map dyno 10 set transform set set trans crypto map vpn 65535 ipsec isakmp dynamic dyno crypto map vpn interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre share encryption 3des hash sha group 2 lifetime 86400 ASA 8.3.2.12 or Later Configuration Example Username <name> password <passwd> mschap ip local pool l2tp ipsec_address 192.168.1.1 192.168.1.10 group policy l2tp ipsec_policy internal group policy l2tp ipsec_policy attributes dns server value <dns_server> vpn tunnel protocol l2tp ipsec tunnel group DefaultRAGroup general attributes default group policy l2tp ipsec_policy address pool l2tp ipsec_addresses tunnel group DefaultRAGroup ipsec attributes pre shared key * tunnel group DefaultRAGroup ppp attributes no authentication pap authentication chap authentication ms chap v1 authentication ms chap v2 crypto ipsec ikev1 transform set my transform set ikev1 esp 3des esp sha hmac crypto ipsec ikev1 transform set my transform set ikev1 mode transport crypto dynamic map dyno 10 set ikev1 transform set my transform set ikev1 crypto map vpn 20 ipsec isakmp dynamic dyno crypto map vpn interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre share encryption 3des hash sha group 2 lifetime 86400 Verify Use this section to confirm that your configuration works properly. This procedure describes how to set up the connection: 2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.) 3. Select the VPN configuration from the list. 4. Enter your username and password. 5. Select Remember username. 6. Select Connect. This procedure describes how to disconnect:

2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.) 3. Select the VPN configuration from the list. 4. Select Disconnect. Use these commands in order to confirm that your connection works properly. show run crypto isakmp For ASA version 8.2.5 show run crypto ikev1 For ASA version 8.3.2.12 or later show vpn sessiondb ra ikev1 ipsec For ASA version 8.3.2.12 or later show vpn sessiondb remote For ASA version 8.2.5 Note: The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output. Known Caveats Cisco bug ID CSCtq21535, "ASA traceback when connecting with Android L2TP/IPsec client" Cisco bug ID CSCtj57256, "L2TP/IPSec connection from Android doesn't establish to the ASA55xx" Cisco bug ID CSCtw58945, "L2TP over IPSec connections fail with ldap authorization and mschapv2" Related Information Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6: Configuring L2TP over IPsec Release Notes for the Cisco ASA 5500 Series, Version 8.4(x) Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3: Information about NAT ASA Pre 8.3 to 8.3 NAT Configuration Examples Technical Support & Documentation Cisco Systems Updated: Oct 29, 2013 Document ID: 113572

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information