I used OpenSSL for generating the certificates. I guess it is also doable using Windows certificate tools, but have more experience using OpenSSL, so I found it easier. Basically, it goes like this;

- Create your own CA using OpenSSL.

- Import the CA cert in Cisco ASA.

- Create an identity certificate request in ASA. This certificate will identify the ASA when an IPSec connection is opened.

- Sign the mentioned identity certificate usin the CA created in the first step.

- Install the signed identity certificate in ASA, in the same trustpoint as for the CA certificate. At this point, ASA has two certificates: the CA's certificate, and the identity certificate of the ASA itself.

- Create a certificate request for the client (i.e. Android device) using OpenSSL. This certificate must have same OU as the ASAs identity certificate, because authentication is (partially) based on comparing those two certificates.

- Sign the certificate request using the CA created in the first step.

- Install the certificate in Android device.

I got this working just yesterday, and I have to document it in more detail anyway during the next week. (because I made the configuration as part of my job, not as a hobby or something ). I can then probably share at least relevant part of the document.

Hey Petteri,

are there any updates about the topic?

Currently I'm trying to terminate remote access VPN connection using L2TP / IPSec CRT from Android 2.2 VPN client. All the steps you've mentioned in your previous post regarding certificates were done. But connection fails on the phase 1. It seems that management connection is built, but tunnel isn't associated with any of the tunnel groups. Well, actually, it doesn't even try to associate with any. Connection debug log is attached and now I'm stuck looking at it. IKE is exchanging messages, and I can't identify the problem... I've got no clue at the moment, how to debug it further.

Any ideas and references would be very welcome.

Regards!

PIX-515E, 8.0(4)

Here is the first part, which is all about certificates.

1    Prerequisites

1.1    OpenSSL
Latest version of OpenSSL tools can be found from Shining Light Productions web site: http://www.slproweb.com/products/Win32OpenSSL.html. Download the full version for correct architecture, together with Visual C++ 2008 Redistributable package, and install both. Install OpenSSL to directory without any spaces in the path, e.g. C:\apps\OpenSSL. Select The Windows system directory when the installer queries about the installation location for OpenSSL DLLs. After installation, add the bin-directory of OpenSSL to the PATH-variable.

1.2    Cisco ASA Software Version
A Cisco ASA SW version 8.3(2).12 is needed. Without the correct version of the software, VPN connections from devices which are not behind a NAT device are unsuccessful. The exact symptom is that IPSec tunnel opens, but L2TP protocol exchange is not initiated correctly, thus leaving the tunnel unusable for such devices. For NATted devices the connections are successful also with standard ASA operating system version. It is probably necessary to have a valid support contract with Cisco to gain this software. Contact Cisco support with valid support ID.

2    Create and Install Certificates

2.1    Create a Certificate Authority

1.    Create a separate directory for CA and all related files, and change to that directory.
md C:\apps\OpenSSL\CA
cd C:\apps\OpenSSL\CA

2.    Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out CA_key.pem -des3 2048

3.    Create a self-signed certificate for the CA.
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem

To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = Some Unit
Common Name = IamTheCA
Email Address =

4.    Contents of the certificate can be checked as follows. At this point, CA is ready to start signing certificate requests from clients.
openssl x509 -in CA_crt.pem -noout -text

2.2    Create a Client Certificate Request

1.    Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out client_key.pem -des3 2048

2.    Create a certificate request for a client certificate.
openssl req -new -key client_key.pem -out client_csr.pem

To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = IT Support
Common Name = AndroidClient
Email Address =

Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "IT Support" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.

2.3    Sign the Client Certificate Using the CA

1.    To sign the client's certificate request using the CA's key, use the following command:
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair. Note that CAcreateserial -option does not need to be used on successive signing of certificate requests. It's only needed on the first time to initialize the sequence number file.

2.    Contents of the clients certificate can be checked as follows:
openssl x509 -in client_crt.pem -noout -text

3.    Transform the .pem-format certificate to a pkcs#12 file:
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem

4.    The pkcs#12 file is now ready to imported to an Android device.

2.4    Import the CA Certificate to Cisco ASA

1.    Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.

2.    Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.

3.    Click Install Certificate.

2.5    Create a Server Certificate Request

1.    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.

2.    Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "asagw" there.

3.    Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem".

2.6    Sign the Server Certificate Request Using the CA

1.    To sign the server's certificate request using the CA's key, use the following command:

openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair.

2.    Contents of the certificate can be checked as follows:

openssl x509 -in server_crt.pem -noout -text

2.7    Install the Server Certificate in Cisco ASA

1.    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.

2.    Browse for the signed certificate file, and click Install Certificate.

3.    Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):

sh run crypto

In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:

crypto ca certificate chain OpenSLL_Trustpoint
certificate ca
   
  quit
crypto ca certificate chain Temporary_trustpoint
certificate
   

  quit

4.    Copy the certificate in the temporary trustpoint to the clipboard, starting from the line beginning with word "certificate" and ending to the line starting with "quit".

5.    Enter the configuration mode (command "conf ter") and modify the real trustpoint (named OpenSSL_Trustpoint in this example):
crypto ca certificate chain OpenSLL_Trustpoint

6.    Paste the certificate copied to the clipboard in step 4. Execute command "exit" to exit trustpoint configuration.

7.    Remove the identity certificate from the temporary trustpoint:
crypto ca certificate chain Temporary_trustpoint
no certificate
exit

8.    Remove the temporary trustpoint:
no crypto ca trustpoint Temporary_trustpoint

9.    At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain OpenSLL_Trustpoint
certificate
   
  quit
certificate ca
  

   quit

10.    Save config (exit, write memory). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.

Petteri,

I've followed your instructions and at the ASA, when I try to connect via the Android phone I get:

Failed to retrieve identity certificate

and then...

Removing peer form peer table failed, no match!

I've done this three three times and I'm still receiving the above errors. Can you shed any light on this for me?

Thanks,

Rich

I remember having the same error at some point, but I can't remember what was the reason. Can you post your configuration, I can then check it and maybe I can find something.

I asked  the same of our Cisco Security POC via our ASE and was told HTC and one other wil be the first two. 

I don't believe that Cisco will have VPN client for Android so soon. The problem is, that it needs TUN support in kernel for creating virtual tun0 interface for vpn connections. IMHO it depends on Google or manufacturers to add support to kernel.

Google natively uses L2TP/IPSec for VPN connections and ASA can also, so you can build a VPN on L2TP. L2TP uses PPP protocol, so the virtual interface is created with PPP support (ppp0 interface)

Thanks to Petteri Heinonen for guideline. If someone do not want to use certificate, you can use preshared key in DefaultRAGroup tunnel group. You can even allow users to connect to specific connection profiles (tunnel groups) instead of the default connection profile (DefaultRAGroup). This allows the client to retrieve AAA and PPP attributes from that specific connection profile rather than the default connection profile. To do this, users send their username as username@groupname.

For more info see link

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/l2tp_ips.html#wp1074591

I have working configuration, it works perfectly. I don't need Cisco VPN klient anymore

Hi Jan.  Thanks for your post.  I have upgraded an ASA 5540 to 2GB memory and ASA version 8.3.2.13.  I followed the configuration link you posted, but am still striking out getting an Android tablet connected with L2TP/IPSEC.  The ASA DefaultGroup is using RADIUS authentication.  The two primary errors I am seeing are that AAA: Authentication Failure (which I have verified is working for typical IPSEC tunnel groups) and Session Terminated:L2TP Initiated.  I have L2TP/IPSEC enabled on the default tunnel group and associated tunnel group policy.  I have a crypto map configured for transport mode.  Any suggestions on what I could be missing here to get this working.  Appreciate any assistance.

Thanks

Mark

It's looking like there is some progress :

http://www.computerworlduk.com/news/mobile-wireless/3260863/samsung-galaxy-s-ii-boosts-business-features/

That looks very promising and exciting!

Hi, when using local users I had to enable this: "User authenticated using MSCHAP" for the user.

I also remember that there was some restrictions related to what authentication methods
were available for RADIUS and LOCAL users. Maybe MSCHAP is not possible through RADIUS? I propose that you try first with a local user, to see if everything else is ok. The error message about L2TP initiated session tear down is probably just a result of unsuccesfull authentication.

Hi, exactly my words!

I tried to use tacacs+ as authentications server and it works perfecty. Try to use local auth.

The first syslog message is authentication error and the second is disconnect message related to the authentication error.

I have set mine up with both via certs and PSK, howerver I don'

t seem to be passing the user/pass from the driod. I've tested via windo

ws and it works great, but seems to be an issue with the droid. an

y special settings I may be missing?

Got it working, it was the ASA code, upgraded to 8.4.