12-13-2006 08:22 AM - edited 02-21-2020 02:46 PM
Is the Native L2TP/IPSec VPN Client in Windows Mobile 5.0 PDA devices compatible with the Cisco PIX Firewall's VPDN implementation?. I have sucessfully got the Windows 2000 & XP Native L2TP/IPSec VPN Client to work with the PIX but I am struggling a bit with a Windows Mobile 5.0 PDA device.
Before I start configuring span sessions and a sniffer etc I thought it might be worth a quick question on here to save me wasting my time if it won't work.
Thanks
Andy
12-19-2006 10:12 AM
Cisco does not have a VPN client for mobile devices. list of 3rd party vendor that offers a PDA client that is compatible with any Cisco VPN servers:
Movian client ,bluefire, apani, mergic
01-04-2007 01:44 AM
L2TP/IPSEC on Windows Mobile will work PIX, but only if you do not perform NAT or PAT a L2TP protects the header. As well, group authentication is a bit tricky since L2TP doesn not use group name, only preshared key.
Try using a native IPSEC like movian or sourefire.
Rate if this helped.
Regards,
Daniel
06-28-2007 07:01 AM
Any such luck with this? I am trying to use the native VPN client to our VPN 3000 Concentrator via the L2TP/IPSec tunnel. With no such luck. Anyone know what I might be missing? (besides a 3rd party app)
06-28-2007 07:09 AM
Aaron, same person you emailed......
As I said in the email I have this working now with both PIX 6.3(5) and an IOS router (877). The config I sent you is for IOS, the PIX config is very similar if not slighltly less complicated. I am sure it won't be too difficult to port the configuration to the 3000 Concentrator?
Andy
06-29-2007 10:16 AM
Andrew,
I am looking at setting up VPN on a mobile client and was interested in the configs needed for a PIX. Would you be able to send me a copy.
Thanks,
Jason
06-29-2007 10:27 AM
The PIX was pretty easy to configure, there is a good example on CCO somewhere - search for VPDN & PIX I think?
Here are the relevent sections from a PIX I have this working on. I am using RSA signatures and an external RADIUS server:
ip address outside 10.1.1.254 255.255.255.0
access-list l2tp permit udp host 10.1.1.254 any eq 1701
ip local pool L2TP-IP-Pool-1 10.10.10.1-10.10.10.14 mask 255.255.255.240
sysopt connection permit-l2tp
!
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
!
crypto ipsec transform-set l2tp esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
!
vpdn group L2TP-VPN accept dialin l2tp
vpdn group L2TP-VPN ppp authentication mschap
vpdn group L2TP-VPN client configuration address local L2TP-IP-Pool-1
vpdn group L2TP-VPN client configuration dns 10.50.10.50
vpdn group L2TP-VPN client authentication aaa RADIUS
vpdn group L2TP-VPN client accounting RADIUS
vpdn group L2TP-VPN l2tp tunnel hello 60
vpdn enable outside
!
I think that is pretty much it.
Andy
06-29-2007 10:22 AM
Just a quick update. I downloaded Bluefire's demo version and have created a successful VPN to the 3030. I'm still not sure what I was doing wrong on the Native client, in the short term future I may go back to messing with it.
01-09-2008 12:07 PM
I am trying to setup vpn connection from Windows Mobile 6 (pda phone) to VPN Concentrator 3030 using the Windows native L2TP over IPSec. I setup the VPN Concentrator the way suggested on this page...
The connection is fine IF I disable the authentication process. But whith authentication process, it doesn't work. Concentrator log indicates the IKE phase 1 is good, IPSec phase is good, but user authentication failed. I am sure my username and password on both sides are matched, and I also check force different authentication methods (e.g. chap, mschapv1, mschapv2, etc.). Still no luck and thus I am here digging this forum.
Anyway, just want to list this note here incase someone else may find a use of it.
-raymond
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: