L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.
Ensure that you meet these requirements before you attempt this configuration:
Android L2TP/IPsec requires ASA version 8.2.5 or greater, 18.104.22.168 or greater, 8.4.1 or greater
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
This section describes the information you need to configure the features described in this document.
To configure the L2TP/IPSec connection on the Droid:
Open the menu and choose Settings
Select Wireless and Network or Wireless Controls, depending on your version of Android
Select VPN Settings
Select Add VPN
Select Add L2TP/IPsec PSK VPN
Select VPN Name and type in a descriptive name
Select Set VPN Server and enter a descriptive name
Select Set IPSec pre-shared key
Uncheck Enable L2TP secret
Open the menu and choose Save
To configure the L2TP/IPSec connection on ASA:
The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.
IKEv1 phase 1—3DES encryption with SHA1 hash method.
IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.
Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
Create an internal group-policy .
define the the tunnel protocol to be l2tp-ipsec
configure a dns server to be used by the clients
Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
Define the general-attributes of the tunnel group that will be used
Map the defined group policy to this tunnel group
Map the defined address pool to be used by this tunnel group
modify the authentication-server group if you want to use something other than LOCAL
Define the pre-shared key under the ipsec attributes of the tunnel group to be used
Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
Create a transform set with a specific ESP encryption type and authentication type
Instruct IPsec to use transport mode rather than tunnel mode.
Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
Create a dynamic crypto map and then map it to a crypto map.
Apply the crypto map to an interface
Enable ISAKMP on that interface
The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:
Configuration Example Using ASA 8.2.5 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 22.214.171.124
tunnel-group DefaultRAGroup general-attributes
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Configuration Example Using ASA 126.96.36.199 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Hello All, ASA 8.X: AnyConnect Start Before Logon Feature Configuration - CiscoThe above Link mentions SBL Feature for Windows Client.Can anybody help me how to enable SBL feature for Linux to activate?Best Regards
Hi all, Hope you are doing well! I'm currently setting up a Cisco 1010 FirePower with FDM and have an issue with the RA VPN (fairly small network). Upon connecting to the VPN I would like to be able to access the FDM web console, however I canno...
Greetings, Our company sold one of our branch and only a specific OU needs to be redirected to a new domain while they complete a full turn-over with their clients and distributors. Is there a way from the Hosted CES to query securily the AD for...
Hello.My company is requesting to remove all native Java software from our PC's and servers.They have suggested a few alternatives to use. Wondering if anyone has used these and if they allow the CTC to work?= Adopt OpenJDK=Evergreen OpenJDK =Am...