Re: VPN Client for Android - Page 3

stefan.morlin · ‎04-09-2010

Hi!

We have got a couple of mobile phones with Android OS to our company.

We need a proper IPSEC VPN client to these Android phones, but cannot find any.

There are some IPSEC VPN clients on the market, but to use these you have to root the phone.

We have a ASA 5520 that works great with the Cisco AnyConnect client on Windows PC:s.

Will Cisco release a VPN client, like AnyConnect, that is compatible with Android?

Best Regards

Stefan

Jan Nohejl · ‎03-29-2011

Problem seems to be in implementation of L2TP/IPSec client on Android phone, which violates RFC 3193 (RFC 3193 says IKE Phase 2 ID need to have "specific" port numbers) Android client negotiates port 0 (meaning any) in IKE phase 2 and later on uses a ephemeral port as the source port for l2tp which is not correct (it is supposed to negotiate a specific port and use it as the source port for l2tp) based on the RFC. ASA code does not allow this due to the filter rule installed.

For the non-NAT case ASA originally used the port the peer negotiated in IKE phase 2 in its filter rules and defaulted to 1701 if the peer negotiated 0 meaning "any". After the fix, that behavior has changed so now ASA allows any l2tp source port from the peer if the peer negotiated 0.

For the NAT case this issue does not arise because ASA uses the peer's IKE source port to implement its filter rules. It needs to be done this way in order to be able to distinguish between multiple peers behind a NAT device that may be using the same l2tp source port.

Mentioned was incorporated in interim CCO release 8.3.2.13 and CCO release 8.4.1

CiscoMotive · ‎01-28-2011

And here is the config I am using. Note that some password, IPs, certificates have been removed, so this cannot be copy-pasted to an

ASA as such.

ASA Version 8.3(2)12
!
hostname asagw
domain-name somedomain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 11.12.13.14 255.255.255.224
!
interface Ethernet0/1
nameif LAN
security-level 10
ip address 10.0.0.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-12-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name somedomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN-network
subnet 10.0.0.0 255.255.0.0
description LAN network / 16
object network RA-VPN-network
subnet 10.60.0.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool android_vpn_pool 10.60.0.1-10.60.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source static LAN-network LAN-network destination static RA-VPN-network RA-VPN-network
nat (WAN,WAN) source dynamic RA-VPN-network interface
nat (LAN,WAN) source dynamic LAN-network interface
route WAN 0.0.0.0 0.0.0.0 11.12.13.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANSP mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANSP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map WAN_dyn_map 65535 set transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto ca trustpoint OpenSSL_Trustpoint
enrollment terminal
crl configure
crypto ca certificate chain OpenSSL_Trustpoint
certificate

quit
certificate ca

quit
crypto isakmp enable WAN
crypto isakmp policy 20
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 10.0.0.0 255.255.0.0 LAN
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 46.183.73.2 source WAN prefer
ntp server 81.22.244.161 source WAN
webvpn
group-policy "IT Support" internal
group-policy "IT Support" attributes
dns-server value 4.5.6.7, 8.9.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec
username androiduser password xxxxxxxx nt-encrypted
username androiduser attributes
service-type remote-access
tunnel-group "IT Support" type remote-access
tunnel-group "IT Support" general-attributes
address-pool android_vpn_pool
default-group-policy "IT Support"
tunnel-group "IT Support" ipsec-attributes
peer-id-validate nocheck
trust-point OpenSSL_Trustpoint
isakmp keepalive disable
tunnel-group "IT Support" ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:01757bd290ed81bbaa7f9bf432e3024c
: end

CiscoMotive · ‎01-28-2011

As last part, a short checklist about all the locations that need some configuration in ASDM:

Create IPSec Transform sets

Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. See details in the config example above.

Create IKE Policy

A specific IKE Policy is needed. Configure a policy with these values:

Encryption: 3DES

Hash: SHA

Authentication: rsa-sig

D-H Group: 2

Check IKE Parameters

Check that IKE is enabled on WAN interface, and that NAT-T is enabled.

Configure the Crypto MAP

Create a dynamic crypto map with priority 65535. Make sure that NAT-T is enabled on Advanced tab. Do not enable Perfect Forwarding Security. If there is a need to connect to this same VPN connection with pure IPSec (i.e. non-L2TP) client, then some tunnel mode transform sets must be added also. This is beneficial if for example Shrew VPN client is used for testing the setup.

Add a local user

Make sure to check "User authenticated using MSCHAP" for the user.

Create an address pool

Nothing special here, just create a pool for client to get addresses.

Create VPN Group Policy

Under More Options, enable only L2TP/IPSec tunneling protocol. If there is a need to connect with a pure IPSec client (such as Shrew VPN) enable also IPSec. In the Servers, configure DNS Servers to be used by the clients. All other values can be left as "Inherit".

Create IPSec Connection Profile

•    Give a descriptive name for the VPN connection. Remember that the connection name must match the OU field in the DN of client certificates.
•    Do not configure any Pre-shared key. Instead, select the correct certificate in the Identity Certificate field.
•    Select LOCAL as Server Group under User Authentication.
•    Select correct Client Address Pool.
•    Select the correct Group Policy, created in the previous section.
•    Select Enable L2TP over IPSec protocol. If there is a need to connect with pure IPSec clients as well, enable also IPSec protocol.
•    Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
•    Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
•    Under Advanced - PPP, select only MS-CHAP-V1, MS-CHAP-V2 and PAP.

Add NAT exempt rules

NAT exempt rules are needed so that traffic between the VPN clients and internal/LAN -network are not NATted. This is part of basic remote access configuration, and is not explained in more detail here.

MarkoTanaskovic · ‎04-07-2011

I tried to configure the ASA with 8.2.4 code for operation with Android native IPsec over L2tp, without much success. I will not go into detail, as this has been explained in previous posts by other members. The 8.4.1 code works perfectly, with or without NAT devices in between. The authentication is done through Cisco ACS, using RADIUS protocol, with downloadable access lists as to impose some limitations on different categories of users. I tested with up to 10 Android phones of different vendors ( Dell streak, Samsung Galaxy, HTC Desire, ... ) at the same time, without problems.

Has anyone implemented this on a Cisco router ( 2821 router running 12.4.24T code with Advanced IP services featureset ) ? I am about to test this, so any recommendations are welcome.

patrik.spiess · ‎04-07-2011

Hi Marko (or others)

I also was able to connect our Androids over L2TP.

But authentication only works with local users. As soon as I reconfigure it to use RADIUS it seems that the ASA does not send a passwort in the AuthReques package and the authentication fails.

Are there any hints, how to do it with RADIUS authentication?

Thanks

Patrik

MarkoTanaskovic · ‎04-07-2011

This is what happened to me with 8.2.4 code. I ran some AAA debugs of 8.2.4 vs 8.4.1 and clearly saw that the 8.2.4 simply stops, and then times out.

I do know what code you are running. No additional hints for AAA. Works both ways for me, locally and over an AAA server.

patrik.spiess · ‎04-07-2011

Sorry, I forgot to mention that I also run 8.4(1).

So I have to debug it further. Or Maybe you could paste an anonymized copy of your AAA config?

but thanks anyway

Patrik

MarkoTanaskovic · ‎04-07-2011

Hi Patrik,

I would first try the test aaa command to see if the aaa srver is responding normally ( assuming this is a new installation, of course ). If nothing happens, perhaps, you are missing authentication methods in the tunnel group config:

tunnel-group DefaultRAGroup general-attributes
...
authentication-server-group RADIUS LOCAL

....

The config for AAA is rudimentary :

SecLabASA# sh run aaa
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

...

SecLabASA# sh run aaa-server
aaa-server RADIUS protocol radius
aaa-server RADIUS (lab_lan) host A.B.C.D
key 8 ********************

...

If nothing "debugs" :-) it is usually some misconfig on the ASA.

Regards, Marko

patrik.spiess · ‎04-07-2011

Hi Marko

Thanks for your answers.

It seems I found the reason it doesn't work for me. We use freeradius as RADIUS server. The Authentication Android uses for L2TP seems to be MS-CHAP with challange/response. And theese to are not compatible with each other.

The mentioned article says:

"MS-CHAP works with clear-text passwords, or with NT-Passwords. Nothing else."

So, the ASA seems not to be the root cause.

regards

Patrik

MarkoTanaskovic · ‎04-08-2011

Hi Patrik,

I am glad you solved the problem.

I am now working on the same thing for the Cisco router :-)

Regards,

Marko

lmcruzhsa · ‎05-23-2011

Config for finish a VPN connection against a Cisco router from an Android device:

vpdn enable
vpdn multihop
vpdn logging
vpdn history failure table-size 50
!
vpdn-group L2TP-VPN
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname anonymous
lcp renegotiation always
no l2tp tunnel authentication
l2tp tunnel password 7 XXXXXXXXXXXXX
l2tp tunnel framing capabilities all
l2tp tunnel bearer capabilities all
l2tp ip udp checksum
ip pmtu
ip mtu adjust

l2tp congestion-control

interface Virtual-Template1
description Templates for VPNs from Androids
ip unnumbered FastEthernet0/0.XXXXXXXXXXXX
ip verify unicast source reachable-via rx
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp header-compression
ntp disable
peer ip address forced
peer default ip address pool XXXXXXXXX
keepalive 5 2
ppp mtu adaptive
ppp encrypt mppe auto
ppp authentication chap pap ms-chap ms-chap-v2

! hostname of your router in the next XXXXXXX
ppp chap hostname XXXXXXXXXXX
ppp ipcp header-compression ack
ppp ipcp address required
ppp ipcp address unique
no clns route-cache

IOS running: c2600-advsecurityk9-mz.124-15.T13.bin

HTC: HTC Desire Z

Things to consider before copy & paste in your scenario:

- IP forced for the VPN from AAA (not detailed here in this post)

- AAA auth configured in my scenario, not detailed here neither

- I have a VRF scenario here, not detailed neither in this post.

- Fields you can replace with XXXXXXXXXX

- Pool configuration not defailed, but easy to find from any PPP template or cisco documentation.

Last notes:

- Android 2.x doesnt support double factor auth. I mean, user+passwd and group+passwd. So, VPN against something like VPN3000 device is not going to work, I dont know if this applies to ASA too.

- Cisco is not going to release a VPN client -as far as I know- out of its Android products because it requires low level changes.

- No rooted device required, this template works with the HTC default firmware.

LuisMi

Herbert Baerten · ‎06-27-2011

First of all, Many thanks to Petteri and Luis for helping out so many users!

Now for some news...

June 27, 2011

We are pleased to announce that the Cisco AnyConnect Secure Mobility Client is the first 3^rd party (and only SSL) VPN client available for Samsung Android devices.

Customers may download the Cisco AnyConnect Secure Mobility Client directly from the Android Market.

Supported Devices:

Galaxy S model GT-I9000 (Gingerbread Maintenance Release)

Galaxy S model SC-02B (Gingerbread Maintenance Release)

Galaxy S II model GT-I9100

Galaxy S II model SC-02C

AnyConnect is also supported on Tab 7 running Android 2.3.3+ or Galaxy Tabs 8.9 and 10.1 running Android 3.0+.

Software Access:

https://market.android.com/details?id=com.cisco.anyconnect.vpn.android

Users Guide:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/android-user/guide/android-acug.html

Release Notes:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/rn-ac2.4-android.html

Licensing and Infrastructure Requirements:

AnyConnect for Android requires Cisco Adaptive Security Appliance (ASA) Boot image 8.0(4) or later.

For licensing questions and evaluation licenses, please contact ac-mobile-license-request (AT) cisco.com and include a copy of "show version" from your Cisco ASA.

If you already have an Essentials or Premium ASA license, you may use the automated license request tool at:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717

The ASA requires an AnyConnect Mobile license (L-ASA-AC-M-55XX=), as well as either an AnyConnect Essentials (L-ASA-AC-E-55XX=) or AnyConnect Premium Clientless SSL VPN Edition (L-ASA-AC-SSL-YYYY=) license, where XX is the last two digits of your ASA model number and YYYY is the number of simultaneous users. AnyConnect Mobile and Essentials licenses are enabled per ASA, there is no per user charge for either of these licenses.

lmcruzhsa · ‎02-11-2012

Hi Mebaro815,

I would like to give you an inmediate answer, but, the scenario I have here is...

2621xm with ipsec over tunnel gre interface (is a VTI with ipsec config), and in the same router, a virtual-template for L2TP and the Androids...

You wrote two "interface Virtual-Template10" interfaces, it makes me confused.

Can you explain it?

do you have logs? logs from debugs?

I expect no NAT between client and vpn server... but can you confirm it?

mebaro815 · ‎02-08-2012

Hi Luis!

I hope you're still around...

I configured L2TP/IPSEC on my 2811 router and it worked great eve using RADIUS to authenticate against my domain. The only problem I have is when I enabled L2TP I seem to have disabled isakmp-ipsec. We can no longer connect from Cisco VPN Client on Win PC and i-devs. Do you know how I can get my two worlds to coexist?

Here is my config (cleaned up):

vpdn enable

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 10

source-ip xx.xx.xx.xx

source vpdn-template 10

l2tp security crypto-profile l2tp keep-sa

l2tp tunnel hello 15

no l2tp tunnel authentication

l2tp tunnel timeout no-session 5000

crypto isakmp key xxxxxxxxx address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp profile vpn-isakmp-profile

match identity group RemoteUsers

client authentication list sdm_vpn_xauth_ml_16

isakmp authorization list sdm_vpn_group_ml_17

client configuration address initiate

client configuration address respond

crypto dynamic-map SDM_DYNMAP_1 2

set transform-set esp-aes-sha

set isakmp-profile vpn-isakmp-profile

reverse-route

crypto map SDM_CMAP_1 50 ipsec-isakmp profile l2tp

description Ebix-Mobil-Connect

set transform-set ESP-3DES-SHA2 ESP-AES-SHA3 ESP-3DES-SHA4

interface Virtual-Template10

ip unnumbered FastEthernet0/1

ip mtu 1400

ip tcp adjust-mss 1200

peer default ip address pool SDM_POOL_5

ppp mtu adaptive

ppp timeout idle 5000

crypto dynamic-map SDM_DYNMAP_1 2
set transform-set esp-aes-sha
set isakmp-profile vpn-isakmp-profile
reverse-route

crypto map SDM_CMAP_1 50 ipsec-isakmp profile l2tp
description Mobil-Connect
set transform-set ESP-3DES-SHA2 ESP-AES-SHA3 ESP-3DES-SHA4

interface Virtual-Template10
ip unnumbered FastEthernet0/1
ip mtu 1400
ip tcp adjust-mss 1200
peer default ip address pool SDM_POOL_5
ppp mtu adaptive
ppp timeout idle 5000

Thanks! Max

daniel_boubeta · ‎05-25-2011

Hi all!

I have followed luis cruz instructions and I have connected my Samsung Galaxy S (with android 2.3.3) to my Cisco 877 (with IOS 15.1(1)T2) with a L2TP VPN. The only thing I have to change was the line "ppp authentication chap pap ms-chap ms-chap-v2" to "ppp authentication ms-chap"

Regards,

Dani