L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.
Ensure that you meet these requirements before you attempt this configuration:
Android L2TP/IPsec requires ASA version 8.2.5 or greater, 184.108.40.206 or greater, 8.4.1 or greater
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
This section describes the information you need to configure the features described in this document.
To configure the L2TP/IPSec connection on the Droid:
Open the menu and choose Settings
Select Wireless and Network or Wireless Controls, depending on your version of Android
Select VPN Settings
Select Add VPN
Select Add L2TP/IPsec PSK VPN
Select VPN Name and type in a descriptive name
Select Set VPN Server and enter a descriptive name
Select Set IPSec pre-shared key
Uncheck Enable L2TP secret
Open the menu and choose Save
To configure the L2TP/IPSec connection on ASA:
The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.
IKEv1 phase 1—3DES encryption with SHA1 hash method.
IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.
Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
Create an internal group-policy .
define the the tunnel protocol to be l2tp-ipsec
configure a dns server to be used by the clients
Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
Define the general-attributes of the tunnel group that will be used
Map the defined group policy to this tunnel group
Map the defined address pool to be used by this tunnel group
modify the authentication-server group if you want to use something other than LOCAL
Define the pre-shared key under the ipsec attributes of the tunnel group to be used
Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
Create a transform set with a specific ESP encryption type and authentication type
Instruct IPsec to use transport mode rather than tunnel mode.
Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
Create a dynamic crypto map and then map it to a crypto map.
Apply the crypto map to an interface
Enable ISAKMP on that interface
The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:
Configuration Example Using ASA 8.2.5 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 220.127.116.11
tunnel-group DefaultRAGroup general-attributes
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Configuration Example Using ASA 18.104.22.168 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
Hi All, Please find attached diagram where on my ASA SSL VPN is configured to access my internal network behind my another vendor firewall i.e FORTIGATE. But Now my Company wants that users from outside connect to SSL Vpn using an ASA and after ...
Hi I would like to generate a report to view top users by URL category, how can I generate such report in FMC?When I click any URL Category in Dashboard it open it in Connection Events, not an overview report like Context Explorer. Thanks
Hi, I'm running outdated and unsupported v.4.9.3 with an HA pair of CAMs and HA pair of CASs. Using basic captive portal for both guest unsecured and employee secured wireless authentication, along with MAC AUTH. I have been using two SSL certificates ove...
Hi,After update to 12.1.0, https GUI cert was deleted. When I try to import it again get error "Certificate lifetime must not exceed 18250 days".AsyncOS v.11 worked correctly with the same certificate.Because of our company has Corporate Root CA until 207...
Server Version#: Version 22.214.171.1244Player Version#: Version 4.10.1 I have PMS installed on Debian Linux. I’m able to reach it when using <local_IP>:32400/web. I’m also able to see the server when I log into plex.tv. However, I’m having issues ...