L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.
Ensure that you meet these requirements before you attempt this configuration:
Android L2TP/IPsec requires ASA version 8.2.5 or greater, 220.127.116.11 or greater, 8.4.1 or greater
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
This section describes the information you need to configure the features described in this document.
To configure the L2TP/IPSec connection on the Droid:
Open the menu and choose Settings
Select Wireless and Network or Wireless Controls, depending on your version of Android
Select VPN Settings
Select Add VPN
Select Add L2TP/IPsec PSK VPN
Select VPN Name and type in a descriptive name
Select Set VPN Server and enter a descriptive name
Select Set IPSec pre-shared key
Uncheck Enable L2TP secret
Open the menu and choose Save
To configure the L2TP/IPSec connection on ASA:
The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.
IKEv1 phase 1—3DES encryption with SHA1 hash method.
IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.
Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
Create an internal group-policy .
define the the tunnel protocol to be l2tp-ipsec
configure a dns server to be used by the clients
Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
Define the general-attributes of the tunnel group that will be used
Map the defined group policy to this tunnel group
Map the defined address pool to be used by this tunnel group
modify the authentication-server group if you want to use something other than LOCAL
Define the pre-shared key under the ipsec attributes of the tunnel group to be used
Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
Create a transform set with a specific ESP encryption type and authentication type
Instruct IPsec to use transport mode rather than tunnel mode.
Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
Create a dynamic crypto map and then map it to a crypto map.
Apply the crypto map to an interface
Enable ISAKMP on that interface
The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:
Configuration Example Using ASA 8.2.5 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 18.104.22.168
tunnel-group DefaultRAGroup general-attributes
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
Configuration Example Using ASA 22.214.171.124 or later:
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
How can I download (export) the private key of the self-signed certificate created through Object > PKI > Internal CAs ? The Firepower self-signed certificate is to be installed on corporate computers as Trusted Authority and used by FTD for ou...
Trying to migrate a policy config from S370 WSA device to virtual WSA. The policy import throws an error:
Certificates signature verification failed due to Credential Encryption certificate
After replacing the proxy_config_gen...
Working with a lab 5506-x and c3560cx and throwing some OSPF at it to see what sticks. I want the ASA to route to the internet, but I have three Vlans on the switch with SVIs for each subnet. I have NAT working on the ASA out to the internet, b...
I have a Hotspot guest portal setup that has a button that links to a sponsored guest portal to allow certain account to sign in and get elevated access. The button works fine on Android and Windows OS. On iOS devices the customer is gettin...
I have a site to site VPN tunnel setup on an ASA device. The tunnel is up and running and traffic is restricted to a single host on my side. The customer has asked for access to another host on my side via the same tunnel to port 7607. The tunnel uses pub...