04-09-2010 12:57 AM
Hi!
We have got a couple of mobile phones with Android OS to our company.
We need a proper IPSEC VPN client to these Android phones, but cannot find any.
There are some IPSEC VPN clients on the market, but to use these you have to root the phone.
We have a ASA 5520 that works great with the Cisco AnyConnect client on Windows PC:s.
Will Cisco release a VPN client, like AnyConnect, that is compatible with Android?
Best Regards
Stefan
01-21-2011 07:08 AM
Would you care to enlighten us as to how you did that? Where did you get the certificate? Did the ASA generate one and you imported it onto the phone?
01-22-2011 02:34 AM
I used OpenSSL for generating the certificates. I guess it is also doable using Windows certificate tools, but have more experience using OpenSSL, so I found it easier. Basically, it goes like this;
- Create your own CA using OpenSSL.
- Import the CA cert in Cisco ASA.
- Create an identity certificate request in ASA. This certificate will identify the ASA when an IPSec connection is opened.
- Sign the mentioned identity certificate usin the CA created in the first step.
- Install the signed identity certificate in ASA, in the same trustpoint as for the CA certificate. At this point, ASA has two certificates: the CA's certificate, and the identity certificate of the ASA itself.
- Create a certificate request for the client (i.e. Android device) using OpenSSL. This certificate must have same OU as the ASAs identity certificate, because authentication is (partially) based on comparing those two certificates.
- Sign the certificate request using the CA created in the first step.
- Install the certificate in Android device.
I got this working just yesterday, and I have to document it in more detail anyway during the next week. (because I made the configuration as part of my job, not as a hobby or something ). I can then probably share at least relevant part of the document.
01-27-2011 01:01 AM
Hey Petteri,
are there any updates about the topic?
Currently I'm trying to terminate remote access VPN connection using L2TP / IPSec CRT from Android 2.2 VPN client. All the steps you've mentioned in your previous post regarding certificates were done. But connection fails on the phase 1. It seems that management connection is built, but tunnel isn't associated with any of the tunnel groups. Well, actually, it doesn't even try to associate with any. Connection debug log is attached and now I'm stuck looking at it. IKE is exchanging messages, and I can't identify the problem... I've got no clue at the moment, how to debug it further.
Any ideas and references would be very welcome.
Regards!
PIX-515E, 8.0(4)
01-28-2011 06:05 AM
Here is the first part, which is all about certificates.
1.1 OpenSSL
Latest version of OpenSSL tools can be found from Shining Light Productions web site: http://www.slproweb.com/products/Win32OpenSSL.html. Download the full version for correct architecture, together with Visual C++ 2008 Redistributable package, and install both. Install OpenSSL to directory without any spaces in the path, e.g. C:\apps\OpenSSL. Select The Windows system directory when the installer queries about the installation location for OpenSSL DLLs. After installation, add the bin-directory of OpenSSL to the PATH-variable.
1.2 Cisco ASA Software Version
A Cisco ASA SW version 8.3(2).12 is needed. Without the correct version of the software, VPN connections from devices which are not behind a NAT device are unsuccessful. The exact symptom is that IPSec tunnel opens, but L2TP protocol exchange is not initiated correctly, thus leaving the tunnel unusable for such devices. For NATted devices the connections are successful also with standard ASA operating system version. It is probably necessary to have a valid support contract with Cisco to gain this software. Contact Cisco support with valid support ID.
2.1 Create a Certificate Authority
1. Create a separate directory for CA and all related files, and change to that directory.
md C:\apps\OpenSSL\CA
cd C:\apps\OpenSSL\CA
2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out CA_key.pem -des3 2048
3. Create a self-signed certificate for the CA.
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem
To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = Some Unit
Common Name = IamTheCA
Email Address =
4. Contents of the certificate can be checked as follows. At this point, CA is ready to start signing certificate requests from clients.
openssl x509 -in CA_crt.pem -noout -text
2.2 Create a Client Certificate Request
1. Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out client_key.pem -des3 2048
2. Create a certificate request for a client certificate.
openssl req -new -key client_key.pem -out client_csr.pem
To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = IT Support
Common Name = AndroidClient
Email Address =
Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "IT Support" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.
2.3 Sign the Client Certificate Using the CA
1. To sign the client's certificate request using the CA's key, use the following command:
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair. Note that CAcreateserial -option does not need to be used on successive signing of certificate requests. It's only needed on the first time to initialize the sequence number file.
2. Contents of the clients certificate can be checked as follows:
openssl x509 -in client_crt.pem -noout -text
3. Transform the .pem-format certificate to a pkcs#12 file:
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem
4. The pkcs#12 file is now ready to imported to an Android device.
2.4 Import the CA Certificate to Cisco ASA
1. Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.
2. Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.
3. Click Install Certificate.
2.5 Create a Server Certificate Request
1. In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.
2. Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "asagw" there.
3. Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem".
2.6 Sign the Server Certificate Request Using the CA
1. To sign the server's certificate request using the CA's key, use the following command:
openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair.
2. Contents of the certificate can be checked as follows:
openssl x509 -in server_crt.pem -noout -text
2.7 Install the Server Certificate in Cisco ASA
1. In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
2. Browse for the signed certificate file, and click Install Certificate.
3. Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):
sh run crypto
In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:
crypto ca certificate chain OpenSLL_Trustpoint
certificate ca
quit
crypto ca certificate chain Temporary_trustpoint
certificate
quit
4. Copy the certificate in the temporary trustpoint to the clipboard, starting from the line beginning with word "certificate" and ending to the line starting with "quit".
5. Enter the configuration mode (command "conf ter") and modify the real trustpoint (named OpenSSL_Trustpoint in this example):
crypto ca certificate chain OpenSLL_Trustpoint
6. Paste the certificate copied to the clipboard in step 4. Execute command "exit" to exit trustpoint configuration.
7. Remove the identity certificate from the temporary trustpoint:
crypto ca certificate chain Temporary_trustpoint
no certificate
exit
8. Remove the temporary trustpoint:
no crypto ca trustpoint Temporary_trustpoint
9. At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain OpenSLL_Trustpoint
certificate
quit
certificate ca
quit
10. Save config (exit, write memory). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.
02-07-2011 12:35 PM
Petteri,
I've followed your instructions and at the ASA, when I try to connect via the Android phone I get:
Failed to retrieve identity certificate
and then...
Removing peer form peer table failed, no match!
I've done this three three times and I'm still receiving the above errors. Can you shed any light on this for me?
Thanks,
Rich
02-07-2011 11:03 PM
I remember having the same error at some point, but I can't remember what was the reason. Can you post your configuration, I can then check it and maybe I can find something.
01-21-2011 07:45 AM
I had a meeting with our Cisco security/voice/sales reps last week, and asked them point-blank about an anyconnect android client.
I was told that yes, in addition to the existing AnyConnect support on the Clie tablet, they are working on a native client for android. It's in alpha/beta stage, and should be out by June if not sooner.
I'm disappointed that it's taken this long for them to roll one out, but I can be patient a little more.
I did find it interesting that most of the Cisco reps I've seen use Macbooks and iPhones.
-Dan
01-27-2011 11:51 AM
I asked the same of our Cisco Security POC via our ASE and was told HTC and one other wil be the first two.
02-11-2011 08:59 AM
I don't believe that Cisco will have VPN client for Android so soon. The problem is, that it needs TUN support in kernel for creating virtual tun0 interface for vpn connections. IMHO it depends on Google or manufacturers to add support to kernel.
Google natively uses L2TP/IPSec for VPN connections and ASA can also, so you can build a VPN on L2TP. L2TP uses PPP protocol, so the virtual interface is created with PPP support (ppp0 interface)
Thanks to Petteri Heinonen for guideline. If someone do not want to use certificate, you can use preshared key in DefaultRAGroup tunnel group. You can even allow users to connect to specific connection profiles (tunnel groups) instead of the default connection profile (DefaultRAGroup). This allows the client to retrieve AAA and PPP attributes from that specific connection profile rather than the default connection profile. To do this, users send their username as username@groupname.
For more info see link
I have working configuration, it works perfectly. I don't need Cisco VPN klient anymore
02-16-2011 11:46 AM
Hi Jan. Thanks for your post. I have upgraded an ASA 5540 to 2GB memory and ASA version 8.3.2.13. I followed the configuration link you posted, but am still striking out getting an Android tablet connected with L2TP/IPSEC. The ASA DefaultGroup is using RADIUS authentication. The two primary errors I am seeing are that AAA: Authentication Failure (which I have verified is working for typical IPSEC tunnel groups) and Session Terminated:L2TP Initiated. I have L2TP/IPSEC enabled on the default tunnel group and associated tunnel group policy. I have a crypto map configured for transport mode. Any suggestions on what I could be missing here to get this working. Appreciate any assistance.
Thanks
Mark
02-16-2011 02:25 PM
It's looking like there is some progress :
02-22-2011 09:48 AM
That looks very promising and exciting!
02-17-2011 12:13 AM
Hi, when using local users I had to enable this: "User authenticated using MSCHAP" for the user.
I also remember that there was some restrictions related to what authentication methods
were available for RADIUS and LOCAL users. Maybe MSCHAP is not possible through RADIUS? I propose that you try first with a local user, to see if everything else is ok. The error message about L2TP initiated session tear down is probably just a result of unsuccesfull authentication.
02-17-2011 12:30 AM
Hi, exactly my words!
I tried to use tacacs+ as authentications server and it works perfecty. Try to use local auth.
The first syslog message is authentication error and the second is disconnect message related to the authentication error.
03-24-2011 08:10 AM
I have set mine up with both via certs and PSK, howerver I don'
t seem to be passing the user/pass from the driod. I've tested via windo
ws and it works great, but seems to be an issue with the droid. an
y special settings I may be missing?
Got it working, it was the ASA code, upgraded to 8.4.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide