L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.
Ensure that you meet these requirements before you attempt this configuration:
Android L2TP/IPsec requires ASA version 8.2.5 or greater, 188.8.131.52 or greater, 8.4.1 or greater
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
This section describes the information you need to configure the features described in this document.
To configure the L2TP/IPSec connection on the Droid:
Open the menu and choose Settings
Select Wireless and Network or Wireless Controls, depending on your version of Android
Select VPN Settings
Select Add VPN
Select Add L2TP/IPsec PSK VPN
Select VPN Name and type in a descriptive name
Select Set VPN Server and enter a descriptive name
Select Set IPSec pre-shared key
Uncheck Enable L2TP secret
Open the menu and choose Save
To configure the L2TP/IPSec connection on ASA:
The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.
IKEv1 phase 1—3DES encryption with SHA1 hash method.
IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.
Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
Create an internal group-policy .
define the the tunnel protocol to be l2tp-ipsec
configure a dns server to be used by the clients
Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
Define the general-attributes of the tunnel group that will be used
Map the defined group policy to this tunnel group
Map the defined address pool to be used by this tunnel group
modify the authentication-server group if you want to use something other than LOCAL
Define the pre-shared key under the ipsec attributes of the tunnel group to be used
Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
Create a transform set with a specific ESP encryption type and authentication type
Instruct IPsec to use transport mode rather than tunnel mode.
Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
Create a dynamic crypto map and then map it to a crypto map.
Apply the crypto map to an interface
Enable ISAKMP on that interface
The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:
Configuration Example Using ASA 8.2.5 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 184.108.40.206
tunnel-group DefaultRAGroup general-attributes
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Configuration Example Using ASA 220.127.116.11 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
I am trying to gain access to more attributes such as MacOS version since Apple may stop putting the version number in the User Agent field. I have JAMF as an MDM and already use it to validate compliance for VPN clients. I'm wondering if anyone has used ...
Hi there, I have been trying to implement DSCP filtering on a ASA 5506-X, using class maps. But have not been able to get it configured and working. It seems that the commands to do it are there, but looking at general DSCP filtering exam...
Hi Experts,We've Remote access VPN configured on ASA and authenticated by ISE with posture enabled. We've DC1 ASA which is never connected to DC2 ISE node and we'll be testing the failover connectivity. In Posture profile, we've server rules configured to...
Hi , My Question is regarding "Multiple Certificates per Node. One for Each Service" / Certs renewal Our current deployment consist of 6 ISE nodes => 2*PAN (Pri, Sec) , 2*Mnt (Pri, Sec) and 2*PSN (Pri, Sec), and we are using "Single Certifica...
Trying to setup Anyconnect with Azure AD SAML, using this guidehttps://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html I am able to perform a succesfull single signon ...