Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2723
Views
0
Helpful
3
Replies

Android L2TP/IPSEC to ASA with certs

darthnul
Level 1
Level 1

‎04-06-2011 01:57 PM - edited ‎02-21-2020 05:16 PM

I'm having an issue getting this to work, but I think (hope) I'm close.

The droid is an HTC Thunderbolt. The ASA is a 5510 running 8.4.1 code. According to release notes the native L2TP/IPSEC client is supported.

The ASA has been in production for a while handling remote access and Lan2Lan VPNs. All remote access and almost all Lan2Lan VPNs are RSA-Sig (certificate) authenticated. Aggressive mode IKE has always been disabled.

The cert installed in the android just fine. I'm using an MS 2003 CA with the MSCEP plugin, although the droid cert was acquired manually with a web browser and then exported as a PKCS12 file.

I added a couple of transport mode transform sets to my dynamic crypto map because all my existing sets were tunel mode. The group I'm using has been around a while and works fine with Cisco IPSEC clients.

When I attempt to connect with the droid the ASA gripes about IKE keepalives not being supported on the peer, then logs that Phase 1 is complete. Then I get a successful group match to the cert OU, a Phase 2 gripe about "Mismatched attribute types for class Encapsulation Mode: Rec'd: UDP Transport Cfg'd: UDPTunnel(NAT-T), but Phase 2 completes successfully anyway. About 5 seconds later the ASA logs that it can't "free address 0.0.0.0", and then, that the session is being torn down because "L2TP initiated". On the droid end, I get a prompt that the password was wrong (it's not) and asks if I want to try again. L2TP/IPSEC and IPSEC are enabled for the tunnel-group.

Any ideas about what to try next?

Labels:
0 Helpful
3 Replies 3

pkarelis
Level 1
Level 1

‎04-06-2011 02:21 PM

We're having the same EXACT symptom.  Client is a Motorola Xoom running Honeycomb 3.0.1, ASA was just upgraded to 8.4(1).  We are using PSK on the tunnel instead of certificate.

Any assistance would be appreciated.

0 Helpful

darthnul
Level 1
Level 1
In response to pkarelis

‎04-06-2011 02:28 PM

I first thought that maybe L2TP wanted to authenticate itself with the same pw that was used by XAUTH and that was failing because of our one-time passwords, but I changed the authentication for the tunnel-group to a different RADIUS server that just uses regular passwords and it didn't make any difference. The ASA logs give no indication of any failed authentication. I don't know why the droid thinks the pw is wrong (it's not).

               ...jgm

0 Helpful

pkarelis
Level 1
Level 1
In response to darthnul

‎04-06-2011 03:17 PM

Well, I did some digging.   I used the Android SDK to connect to the shell, and run the "logcat" command (which is more like a LogTail, than a cat), and I ran through a connection attempt.   IPSEC is definately being established, the problem is on the PPP side of the house, particularly PAP authentication.  Weird thing is that I'm showing good authentication on my Cisco ACS server, and on my RSA Security Console.

I'm going to see if I can debug the PPP portion (which I wasn't trying to do before) on the ASA and see what  I turn up.

Here are the logs, C.C.C.C is the client IP address (on the android device) and X.X.X.X is the ASA's IP address:

D/VpnService(  119):   Local IP: C.C.C.C, if: wlan0
D/VpnSettings(18726): received connectivity: Venable: connected? CONNECTING   err=0
D/VpnService(  119):        VPN UP: down
I/SProxy_racoon(  119): Start VPN daemon: racoon 
D/SProxy_racoon(  119): racoon is running after 0 msec 
D/SProxy_racoon(  119): service not yet listen()ing; try again 
D/racoon  (22814): Waiting for control socket 
D/mtpd    (23110): Waiting for control socket
D/SProxy_mtpd(  119): mtpd is running after 200 msec
D/mtpd    (23110): Received 19 arguments
I/mtpd    (23110): Using protocol l2tp
I/mtpd    (23110): Connecting to X.X.X.X port 1701
I/mtpd    (23110): Connection established (socket = 11)
D/mtpd    (23110): Sending SCCRQ (local_tunnel = 52384)
I/racoon  (22814): no in-bound policy found: X.X.X.X/32[1701] C.C.C.C/32[0] proto=udp dir=in 
I/racoon  (22814): IPsec-SA request for X.X.X.X queued due to no phase1 found.
I/racoon  (22814): initiate new phase 1 negotiation: C.C.C.C[500]<=>X.X.X.X[500]
I/racoon  (22814): begin Identity Protection mode.
I/SProxy_mtpd(  119): got data from control socket: 19 
I/racoon  (22814): received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
I/racoon  (22814):
I/racoon  (22814): received broken Microsoft ID: FRAGMENTATION 
I/racoon  (22814): Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 
I/racoon  (22814):
I/racoon  (22814): Hashing X.X.X.X[500] with algo #2 
I/racoon  (22814): Hashing C.C.C.C[500] with algo #2 
I/racoon  (22814): Adding remote and local NAT-D payloads.
I/racoon  (22814): received Vendor ID: CISCO-UNITY 
I/racoon  (22814): received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
I/racoon  (22814): Hashing C.C.C.C[500] with algo #2 
I/racoon  (22814): NAT-D payload #0 doesn't match 
I/racoon  (22814): Hashing X.X.X.X[500] with algo #2 
I/racoon  (22814): NAT-D payload #1 verified 
I/racoon  (22814): NAT detected: ME I/racoon  (22814): KA list add: C.C.C.C[4500]->X.X.X.X[4500]
I/keystore(   88): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
I/racoon  (22814): received Vendor ID: DPD 
W/racoon  (22814): port 4500 expected, but 0 
I/racoon  (22814): ISAKMP-SA established C.C.C.C[4500]-X.X.X.X[4500] spi:55ab09deca1219ab:685d2af155e241bf
I/racoon  (22814): initiate new phase 2 negotiation: C.C.C.C[4500]<=>X.X.X.X[4500]
I/racoon  (22814): NAT detected -> UDP encapsulation (ENC_MODE 2->61444).
W/racoon  (22814): ignore RESPONDER-LIFETIME notification.
W/racoon  (22814): transform number has been modified.
I/racoon  (22814): Adjusting my encmode UDP-Transport->Transport 
I/racoon  (22814): Adjusting peer's encmode UDP-Transport(61444)->Transport(2)
W/racoon  (22814): trns_id mismatched: my:3DES peer:AES 
W/racoon  (22814): trns_id mismatched: my:3DES peer:AES 
W/racoon  (22814): trns_id mismatched: my:DES peer:AES 
W/racoon  (22814): trns_id mismatched: my:DES peer:AES 
I/racoon  (22814): IPsec-SA established: ESP/Transport X.X.X.X[0]->C.C.C.C[0] spi=38242464(0x24788a0) 
I/racoon  (22814): IPsec-SA established: ESP/Transport C.C.C.C[4500]->X.X.X.X[4500] spi=2524143773(0x9673609d) 
D/mtpd    (23110): Timeout -> Sending SCCRQ
D/mtpd    (23110): Received SCCRP (remote_tunnel = 3072) -> Sending SCCCN
D/mtpd    (23110): Received ACK -> Sending ICRQ (local_session = 18954)
I/mtpd    (23110): Tunnel established  #(IPSEC is happy)
D/mtpd    (23110): Received ICRP (remote_session = 3072) -> Sending ICCN
D/mtpd    (23110): Received ACK
I/mtpd    (23110): Session established
I/mtpd    (23110): Creating PPPoX socket
I/mtpd    (23110): Starting pppd (pppox = 12)
I/mtpd    (23110): Pppd started (pid = 23114)
I/pppd    (23114): Using PPPoX (socket = 12)
D/mtpd    (23110): Received SLI -> Sending ACK
D/pppd    (23114): using channel 12
I/pppd    (23114): Using interface ppp0
I/pppd    (23114): Connect: ppp0 <-->
D/Tethering(  119): ppp0 is not a tetherable iface, ignoring
E/pppd    (23114): PAP authentication failed
I/pppd    (23114): Connection terminated.
I/mtpd    (23110): Received signal 17
I/mtpd    (23110): Pppd is terminated (status = 19)
D/mtpd    (23110): Sending STOPCCN
I/mtpd    (23110): Mtpd is terminated (status = 51)
I/racoon  (22814): purged IPsec-SA proto_id=ESP spi=2524143773.
I/racoon  (22814): ISAKMP-SA expired C.C.C.C[4500]-X.X.X.X[4500] spi:55ab09deca1219ab:685d2af155e241bf
I/SProxy_mtpd(  119): got data from control socket: 51 
E/VpnService(  119): onError() 
E/VpnService(  119): com.android.server.vpn.VpnConnectingError: Connecting error: 51
E/VpnService(  119):    at com.android.server.vpn.VpnService.onError(VpnService.java:169)
E/VpnService(  119):    at com.android.server.vpn.VpnService.waitUntilConnectedOrTimedout(VpnService.java:196)
E/VpnService(  119):    at com.android.server.vpn.VpnService.onConnect(VpnService.java:134)
E/VpnService(  119):    at com.android.server.vpn.VpnServiceBinder$1.run(VpnServiceBinder.java:57)
E/VpnService(  119):    at java.lang.Thread.run(Thread.java:1020)
I/VpnService(  119): disconnecting VPN...
I/SProxy_mtpd(  119): Stop VPN daemon: mtpd 
D/SProxy_mtpd(  119): mtpd is stopped after 0 msec 
D/SProxy_mtpd(  119): stopping mtpd, success? true 
I/SProxy_racoon(  119): Stop VPN daemon: racoon 
D/SProxy_racoon(  119): racoon is stopped after 200 msec 
D/SProxy_racoon(  119): stopping racoon, success? true 
D/VpnService(  119): onFinalCleanUp() 
I/VpnService(  119): restore original suffices --> null
0 Helpful
Customers Also Viewed These Support Documents