Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
5
Helpful
8
Replies

Windows Mobile 5.0 PDA Native L2TP/IPSec VPN to Cisco PIX 6.3(5)?

andrew.butterworth
Level 7
Level 7

‎12-13-2006 08:22 AM - edited ‎02-21-2020 02:46 PM

Is the Native L2TP/IPSec VPN Client in Windows Mobile 5.0 PDA devices compatible with the Cisco PIX Firewall's VPDN implementation?. I have sucessfully got the Windows 2000 & XP Native L2TP/IPSec VPN Client to work with the PIX but I am struggling a bit with a Windows Mobile 5.0 PDA device.

Before I start configuring span sessions and a sniffer etc I thought it might be worth a quick question on here to save me wasting my time if it won't work.

Thanks

Andy

Labels:
0 Helpful
8 Replies 8

amritpatek
Level 6
Level 6

‎12-19-2006 10:12 AM

Cisco does not have a VPN client for mobile devices. list of 3rd party vendor that offers a PDA client that is compatible with any Cisco VPN servers:

Movian client ,bluefire, apani, mergic

0 Helpful

5220
Level 4
Level 4

‎01-04-2007 01:44 AM

L2TP/IPSEC on Windows Mobile will work PIX, but only if you do not perform NAT or PAT a L2TP protects the header. As well, group authentication is a bit tricky since L2TP doesn not use group name, only preshared key.

Try using a native IPSEC like movian or sourefire.

Rate if this helped.

Regards,

Daniel

0 Helpful

aaron.mason
Level 1
Level 1

‎06-28-2007 07:01 AM

Any such luck with this? I am trying to use the native VPN client to our VPN 3000 Concentrator via the L2TP/IPSec tunnel. With no such luck. Anyone know what I might be missing? (besides a 3rd party app)

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to aaron.mason

‎06-28-2007 07:09 AM

Aaron, same person you emailed......

As I said in the email I have this working now with both PIX 6.3(5) and an IOS router (877). The config I sent you is for IOS, the PIX config is very similar if not slighltly less complicated. I am sure it won't be too difficult to port the configuration to the 3000 Concentrator?

Andy

0 Helpful

jlandstrom
Level 1
Level 1
In response to andrew.butterworth

‎06-29-2007 10:16 AM

Andrew,

I am looking at setting up VPN on a mobile client and was interested in the configs needed for a PIX. Would you be able to send me a copy.

Thanks,

Jason

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to jlandstrom

‎06-29-2007 10:27 AM

The PIX was pretty easy to configure, there is a good example on CCO somewhere - search for VPDN & PIX I think?

Here are the relevent sections from a PIX I have this working on. I am using RSA signatures and an external RADIUS server:

ip address outside 10.1.1.254 255.255.255.0

access-list l2tp permit udp host 10.1.1.254 any eq 1701

ip local pool L2TP-IP-Pool-1 10.10.10.1-10.10.10.14 mask 255.255.255.240

sysopt connection permit-l2tp

!

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

!

crypto ipsec transform-set l2tp esp-3des esp-sha-hmac

crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!

vpdn group L2TP-VPN accept dialin l2tp

vpdn group L2TP-VPN ppp authentication mschap

vpdn group L2TP-VPN client configuration address local L2TP-IP-Pool-1

vpdn group L2TP-VPN client configuration dns 10.50.10.50

vpdn group L2TP-VPN client authentication aaa RADIUS

vpdn group L2TP-VPN client accounting RADIUS

vpdn group L2TP-VPN l2tp tunnel hello 60

vpdn enable outside

!

I think that is pretty much it.

Andy

aaron.mason
Level 1
Level 1

‎06-29-2007 10:22 AM

Just a quick update. I downloaded Bluefire's demo version and have created a successful VPN to the 3030. I'm still not sure what I was doing wrong on the Native client, in the short term future I may go back to messing with it.

0 Helpful

sactoraymond
Level 1
Level 1
In response to aaron.mason

‎01-09-2008 12:07 PM

I am trying to setup vpn connection from Windows Mobile 6 (pda phone) to VPN Concentrator 3030 using the Windows native L2TP over IPSec. I setup the VPN Concentrator the way suggested on this page...

<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml>

The connection is fine IF I disable the authentication process. But whith authentication process, it doesn't work. Concentrator log indicates the IKE phase 1 is good, IPSec phase is good, but user authentication failed. I am sure my username and password on both sides are matched, and I also check force different authentication methods (e.g. chap, mschapv1, mschapv2, etc.). Still no luck and thus I am here digging this forum.

Anyway, just want to list this note here incase someone else may find a use of it.

-raymond

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents