• ASA and Native L2TP-IPSec Android Client Configuration Example
• Introduction
• Known Caveats

This document has been migrated to cisco.com. Please refer to the following document for the latest updated version:

ASA and Native L2TP-IPSec Android Client Configuration Example

Introduction

L2TP over IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.The primary benefit of configuring L2TP over IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. This document provides a sample configuration for the native l2tp-IPSEC droid client. It takes you through all the necessary commands required on the ASA as well as the steps to be taken on the Android device itself.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

• Android L2TP/IPsec requires ASA version 8.2.5 or greater, 8.3.2.12 or greater, 8.4.1 or greater
• ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
• Licensing Requirements for L2TP over IPsec

Configure

This section describes the information you need to configure the features described in this document.

To configure the L2TP/IPSec connection on the Droid:

1. Open the menu and choose Settings
2. Select Wireless and Network or Wireless Controls, depending on your version of Android
3. Select VPN Settings
4. Select Add VPN
5. Select Add L2TP/IPsec PSK VPN
6. Select VPN Name and type in a descriptive name
7. Select Set VPN Server and enter a descriptive name
8. Select Set IPSec pre-shared key
9. Uncheck Enable L2TP secret
10. Open the menu and choose Save

To configure the L2TP/IPSec connection on ASA:

The required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.

• IKEv1 phase 1—3DES encryption with SHA1 hash method.
• IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
• PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
• Pre-shared key

**NOTE: The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy orauthentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.

1. Define a local address pool or use a dhcp-server for the adaptive security appliance to allocate IP addresses to the clients for the group policy.
2. Create an internal group-policy .
   1. define the the tunnel protocol to be l2tp-ipsec
   2. configure a dns server to be used by the clients
3. Either create a new tunnel group or modify the attributes of the existing DefaultRAGroup
4. Define the general-attributes of the tunnel group that will be used
   1. Map the defined group policy to this tunnel group
   2. Map the defined address pool to be used by this tunnel group
   3. modify the authentication-server group if you want to use something other than LOCAL
5. Define the pre-shared key under the ipsec attributes of the tunnel group to be used
6. Modify the ppp attributes of the tunnel group that will be used so that only chap,ms-chap-v1 and ms-chap v2 are used
7. Create a transform set with a specific ESP encryption type and authentication type
8. Instruct IPsec to use transport mode rather than tunnel mode.
9. Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
10. Create a dynamic crypto map and then map it to a crypto map.
11. Apply the crypto map to an interface
12. Enable ISAKMP on that interface

Configurations

The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system:

Configuration Example Using ASA 8.2.5 or later:

ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes

            dns-server value 4.2.2.2

            vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

            default-group-policy l2tp-ipsec_policy

            address-pool l2tp-ipsec_address

tunnel-group DefaultRAGroup ipsec-attributes

            pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

            no authentication pap

            authentication chap

            authentication ms-chap-v1

            authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto dynamic-map dyno 10 set transform-set set trans

crypto map vpn 65535 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

            authentication pre-share

            encryption 3des

            hash sha

            group 2

            lifetime 86400

Configuration Example Using ASA 8.3.2.12 or later:

ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes

            dns-server value 4.2.2.2

            vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

            default-group-policy l2tp-ipsec_policy

            address-pool l2tp-ipsec_addresses

tunnel-group DefaultRAGroup ipsec-attributes

            pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

            no authentication pap

            authentication chap

            authentication ms-chap-v1

            authentication ms-chap-v2

crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport

crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

            authentication pre-share

            encryption 3des

            hash sha

            group 2

            lifetime 86400

Verify

Use these commands to confirm that your connection works properly.

• show run crypto isakmp(8.2.5)
• show run crypto ikev1(8.3.2.12+)
• show vpn-sessiondb ra-ikev1-ipsec (8.3.2.12+)

• show vpn-sessiondb remote (8.2.5)

Related Information

1. For more generic information related to configuring l2tp-ipsec on ASAs please refer to: Configuring L2TP over IPsec
2. For more information about new features added in 8.4 code please refer to: Release Notes for the Cisco ASA 5500 Series, Version 8.4(x)
3. This document does not detail how to deal with natting on ASAs running software 8.3.2.12 or higher. For that please refer to the following documents:
   1. Official NAT 8.3 Documentation
   2. ASA Pre-8.3 to 8.3 NAT configuration Examples

Known Caveats

1. CSCtq21535 - when connecting to a headend running ASA 8.4.1 the ASA may crash.