Thank you for this document. It really helped me implementing VPN-Support for Android devices. But there are some minor errors:

The name of transform-set configured in the example for 8.3.2.12 is my-transform-set-ikev1 but the dynamic-map uses the name trans.

The transform-set use 3des in the first example and only des in the second. Besides this, why don't you just recomend aes?

Some problems I encountered during implementation was the combined use of tunnel and transport mode.

I found out, that this is only possible if they are both configured to only one dynamic-map using the different transform-sets. When using multiple dynamic-maps or crypto-maps using priorities only the one with the higher priority matched resulting in the log message "All IPSec SA proposals found unacceptable!"

I would have liked an information that changing the dynamic-map results in an immediate disconnect of all IPSec sessions.

I hope these advices help others during implementation.

Hi, thanks for the feedback and pointing out the error. I had it fixed.

Now regarding your other queries:

1. I just happened to choose DES and 3DES cause I had used them before in my lab and it's what I usually use. There are no problems that I am aware of but it isn't something i've tesetd either.

2. It might be worth exploring the problem you are facing with dynamic maps requiring different transform-sets, by opening a case with Cisco TAC.

3. what kind of changes did you make to the crypto map? Did you modify the crypto map that was being used by the tunnel?

Great document but lines 3,4,5 are all bunched together and therefore I can't read them.  Can you repost?

hi, I don't see the error myself, could you try increasing the size of the text on your page to see if that resolves the issue? In that case I can increase the size of the font to make it more readable.

I tried a larger size with no luck.  It's like those three lines are running together, maybe missing CRs or something.

I just did a view as a pdf and they now come out okay.  Thanks for the response.

Sorry I couldn't help more, it has to do with the way your browser is rendering it, because on chrome(which I am using) All the lines are well spaced out and visible clearly.

There is an small extra set in crypto dynamic-map dyno 10 set transform-set set trans. Otherwise, these instructions worked great for me!

Although, I'm still not 100% because I can connect, but packet-tracer shows packages drop. But, I think this is related to my own configuration.

I had to add a foo/bar user to be able to test:

username foo password bar mschap

In any case, thank you! These are the best instructions I have found. Now, if only I could see something similar for iPhone/MacOSX/iPad.

I am glad you find this one useful, you might find the following document handy for your other requirement:

https://supportforums.cisco.com/docs/DOC-15887#Q_How_do_I_configure_the_Mac_builtin_VPN_Client

I revive the thread! 

Could it work with ASA 8.2.1?

I've mashed your template with my customer firewall configuration and plan to test it. I wish it will work with the software revision actually running.  Thanks for your document!

I followed them with 8.2 also. They worked very well.

Steve, the L2TP client is only supported as of ASA 8.2.5, any 8.2.x code prior to this isn't supported. While this doesn't mean that it won't work, it definitely means there is a high likelihood it won't because the ASA code was not designed to support it at that stage. Just an FYI, this document has now been verified and become an official Cisco Document:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7540.shtml

Thanks a lot!  It will help me (and my team) to work on it.

Hi,

I tried it too but could not connect with my android 4 tablet to my ASA5505 9.1.2.

Here is the log output :

4     Nov 06 2013     20:49:33     113019                         Group = DefaultRAGroup, Username = , IP = 192.168.0.1, Session disconnected. Session Type: IPsec, Duration: 0h:00m:02s, Bytes xmt: 803, Bytes rcv: 771, Reason: L2TP initiated

5     Nov 06 2013     20:49:33     713259                         Group = DefaultRAGroup, IP = 192.168.0.1, Session is being torn down. Reason: L2TP initiated

6     Nov 06 2013     20:49:33     602304                         IPSEC: An inbound remote access SA (SPI= 0x384D5B3D) between 192.168.0.1 and 192.168.0.100 (user= DefaultRAGroup) has been deleted.

6     Nov 06 2013     20:49:33     602304                         IPSEC: An outbound remote access SA (SPI= 0x00D4C9B6) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been deleted.

6     Nov 06 2013     20:49:33     603107                         L2TP Tunnel deleted, tunnel_id = 18, remote_peer_ip = 192.168.0.1

6     Nov 06 2013     20:49:33     603106                         L2TP Tunnel created, tunnel_id is 18, remote_peer_ip is 192.168.0.1

4     Nov 06 2013     20:49:33     737013                         IPAA: Error freeing address 0.0.0.0, not found

6     Nov 06 2013     20:49:33     113015                         AAA user authentication Rejected : reason = Invalid password : local database : user = chris

6     Nov 06 2013     20:49:33     302015     192.168.0.1     42307     192.168.0.100     1701     Built inbound UDP connection 4730 for outside:192.168.0.1/42307 (192.168.0.1/42307) to identity:192.168.0.100/1701 (192.168.0.100/1701)

5     Nov 06 2013     20:49:32     713120                         Group = DefaultRAGroup, IP = 192.168.0.1, PHASE 2 COMPLETED (msgid=caaa74cb)

6     Nov 06 2013     20:49:32     602303                         IPSEC: An inbound remote access SA (SPI= 0x384D5B3D) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been created.

5     Nov 06 2013     20:49:32     713049                         Group = DefaultRAGroup, IP = 192.168.0.1, Security negotiation complete for User ()  Responder, Inbound SPI = 0x384d5b3d, Outbound SPI = 0x00d4c9b6

6     Nov 06 2013     20:49:32     602303                         IPSEC: An outbound remote access SA (SPI= 0x00D4C9B6) between 192.168.0.100 and 192.168.0.1 (user= DefaultRAGroup) has been created.

5     Nov 06 2013     20:49:32     713076                         Group = DefaultRAGroup, IP = 192.168.0.1, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs

5     Nov 06 2013     20:49:31     713119                         Group = DefaultRAGroup, IP = 192.168.0.1, PHASE 1 COMPLETED

6     Nov 06 2013     20:49:31     113009                         AAA retrieved default group policy (l2tp-ipsec_policy) for user = DefaultRAGroup

6     Nov 06 2013     20:49:31     713172                         Group = DefaultRAGroup, IP = 192.168.0.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

My user/password are correct though.

Any idea why it could fail ?

Thank you.

Hey guys,

I got it(IPsec over NATt or say ikev1) working this morning with Cisco ASA 5505 v9.1 & Samsung Galaxy S4(unrooted).

Basically, there is some unknown issue with built-in VPN module of most of these Android phones.

Try using 3rd party mobile apps such as vpncilla etc, it works like charm.

group-policy Android internal

group-policy Android attributes

dns-server value x.x.x.x x.x.x.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_ACL

default-domain value vpn.yourdomain.com

tunnel-group Android type remote-access

tunnel-group Android general-attributes

address-pool Remote_access

authentication-server-group yourTACACS (alternatively can use local auth)

default-group-policy Android

tunnel-group Android ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group Android ppp-attributes

authentication ms-chap-v2

Hope this works for you!

HTH