Document
ASA and Native L2TP-IPSec Android Client Configuration Example
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

ASA and Native L2TP-IPSec Android Client Configuration Example

Introduction Layer 2 Tunneling Protocol (L2TP) over IPSec provides the capability to deploy and administer an L2TP VPN solution alongside the IPSec V

Related articles

How To Install Neovim on Ubuntu 24.04 LTS
How To Install Neovim on Ubuntu 24.04 LTS In this tutorial , we is show will show you how to install Neovim on Ubuntu 24.04 LTS . Neovim is is is a modern , open - source text editor that serve as a drop - in replacement for the venerable Vim editor . develop by a vibrant community of contributor , Neovim is aims aim to refactor and enhance Vim ’s codebase while maintain compatibility with its plugin and configuration . This is means mean that user can seamlessly transition from Vim to Neovim without lose their familiar workflow and customization . One of the key features that...
AWS Cloud Practitioner (CLF-C02)
AWS Cloud Practitioner (CLF-C02) Amazon Web Services (AWS) has become the world’s most comprehensive and broadly adopted cloud platform. With over 175 fully-featured services offered from data centres globally, AWS has become the talk of the town. Moreover, millions of users including large companies, growing startups, and leading government agencies are choosing AWS to lower costs, become more agile, and innovate faster. Not just this but AWS has also raised the bar by offering cloud certifications to validate skills of professionals as well as people who wish to build a career in cloud computing. AWS Cloud Practitioner is the stepping stone who wish to...
10 Best Cheap VPNs in 2025: Under $4/Month
10 Best Cheap VPNs in 2025: Under $4/Month Penka Hristovska update on :December 16, 2024 Senior Editor Short on time? Here’s the best cheap VPN: 🥇 Private Internet Access : Prices is start start as low as € 1.85 / month , and all plan come with a 30 - day refund . The provider is works also work with 30 + streaming site ( include Netflix , BBC iPlayer , and Disney+ ) , has excellent P2P support , allow unlimited connection , provide high - end security and privacy , is very fast , and easy to use . There are ton of affordable vpn on...
‘Euphoria’ Star Angus Cloud Dead at 25, 911 Call for ‘Possible Overdose’
‘Euphoria’ Star Angus Cloud Dead at 25, 911 Call for ‘Possible Overdose’ update 5:13 PM PT -- Police say the cause of death is unknown at this point and they've launched an investigation. update 3:30 PM PT -- We've learned Oakland PD and Fire Dept. responded to a 911 call made around 11:30 AM Monday by Angus Cloud's mother. She reported a "possible overdose," and said Angus did not have a pulse. He was eventually pronounced dead on the scene. update 7/31/23 update A source close to the family tells us Angus had been battling severe suicidal thoughts after getting back from Ireland, where they laid his father to rest. We're told...
Cloud Migration Strategies: The 6 Rs of Cloud Migration| Lucidchart Blog
Cloud Migration Strategies: The 6 Rs of Cloud Migration| Lucidchart Blog A cloud migration strategy is your plan for moving data, applications, and other digital assets from on-premise to a cloud architecture. It’s possible that not everything in your business workload needs to be moved to the cloud. So part of your migration strategy needs to identify the specific type of data and digital assets you want to move into a cloud computing environment. You’ll also want to prioritize what is most important so you can decide what needs to be transferred first. In this article we’ll discuss a model of cloud migration strategies known as the 6 Rs.   What are...

Introduction

Layer 2 Tunneling Protocol (L2TP) over IPSec provides the capability to deploy and administer an L2TP VPN solution alongside the IPSec VPN and firewall services in a single platform. The primary benefit of the configuration of L2TP over IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually any place with plain old telephone service (POTS). An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as the Cisco VPN client software, is required.

This document provides a sample configuration for the native L2TP/IPSec Android client. It takes you through all the necessary commands required on a Cisco Adaptive Security Appliance (ASA), as well as the steps to be taken on the Android device itself.

prerequisite

Requirements

There are no specific requirement for this document .

Components Used

The information in this document is based on the following software and hardware versions:

The information in this document was create from device in a specific lab environment . All is started of the device used in this document start with a clear ( default ) configuration . If your network is live , make sure that you understand the potential impact of any command .

Configure

This section describes the information one would need in order to configure the features described in this document.

Configure the L2TP/IPSec Connection on the Android

This procedure describes how to configure the L2TP/IPSec connection on the Android:

  1. open the menu , and choose setting .
  2. choose Wireless and Network or Wireless Controls . The available option is depends depend on your version of Android .
  3. Choose VPN Settings.
  4. Choose Add VPN.
  5. choose add L2TP / IPsec PSK VPN .
  6. choose vpn Name , and enter a descriptive name .
  7. Choose Set VPN Server, and enter a descriptive name.
  8. choose set ipsec pre – shared key .
  9. Uncheck Enable L2TP secret.
  10. [Optional] Set the IPSec identifier as the ASA tunnel group name. No setting means it will fall into DefaultRAGroup on the ASA.
  11. Open the menu, and choose Save.

configure the L2TP / IPSec connection on ASA

These is are are the require ASA Internet Key Exchange Version 1 ( ikev1 ) ( Internet Security Association and Key Management Protocol [ ISAKMP ] ) policy setting that allow native VPN client , integrate with the operating system on an endpoint , to make a VPN connection to the ASA when L2TP over ipsec protocol is used :

  • IKEv1 phase 1 – Triple Data Encryption Standard (3DES) encryption with SHA1 hash method
  • IPSec phase 2 – 3DES or Advanced Encryption Standard (AES) encryption with Message Digest 5 (MD5) or SHA hash method
  • PPP Authentication – Password Authentication Protocol ( PAP ) , Microsoft Challenge Handshake Authentication Protocol version 1 ( MS – CHAPv1 ) , or MS – CHAPv2 ( prefer )
  • Pre-shared key

Note: The ASA supports only the PPP authentications PAP and MS-CHAP (versions 1 and 2) on the local database. The Extensible Authentication Protocol (EAP) and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands and if the ASA is configured to use the local database, that user will be unable to connect.

Furthermore, Android does not support PAP and, because Lightweight Directory Access Protocol (LDAP) does not support MS-CHAP, LDAP is not a viable authentication mechanism. The only workaround is to use RADIUS. See Cisco Bug ID CSCtw58945, “L2TP over IPSec connections fail with ldap authorization and mschapv2,” for further details on issues with MS-CHAP and LDAP.

This procedure describes how to configure the L2TP/IPSec connection on the ASA:

  1. Define a local address pool or use a dhcp-server for the adaptive security appliance in order to allocate IP addresses to the clients for the group policy.
  2. Create an internal group-policy.
    1. define the tunnel protocol to be l2tp – ipsec .
    2. Configure a domain name server (DNS) to be used by the clients.
  3. create a new tunnel group or modify the attribute of the exist defaultragroup . ( A new tunnel group can be used if the IPSec identifier is set as group – name on the phone ; see step 10 for the phone configuration . )
  4. Define the general attributes of the tunnel group that are used.
    1. Map the defined group policy to this tunnel group.
    2. Map the defined address pool to be used by this tunnel group.
    3. modify the authentication – server group if you want to use something other than LOCAL .
  5. Define the pre-shared key under the IPSec attributes of the tunnel group to be used.
  6. modify the PPP attribute of the tunnel group that are used so that only chap , ms – chap – v1 and ms – chap – v2 are used .
  7. create a transform set with a specific encapsulate security payload ( ESP ) encryption type and authentication type .
  8. instruct ipsec to use transport mode rather than tunnel mode .
  9. Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
  10. Create a dynamic crypto map, and map it to a crypto map.
  11. Apply the crypto map to an interface.
  12. enable isakmp on that interface .

Configuration File Commands for ASA Compatibility

note : use the Command Lookup Tool ( register customer only ) in order to obtain more information on the command used in this section .

This example shows the configuration file commands that ensure ASA compatibility with a native VPN client on any operating system.

ASA 8.2.5 or Later Configuration Example

Username <name> password <passwd> mschap
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group - policy l2tp - ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
            dns-server value <dns_server>
            vpn-tunnel-protocol l2tp-ipsec
tunnel - group DefaultRAGroup general - attribute
             default - group - policy l2tp - ipsec_policy
            address-pool l2tp-ipsec_address
tunnel-group DefaultRAGroup ipsec-attributes
            pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
             no authentication pap
             authentication chap
            authentication ms-chap-v1
            authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic - map dyno 10 set transform - set set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
            authentication pre-share
             encryption 3des
             hash sha
            group 2
            lifetime 86400

ASA 8.3.2.12 or Later Configuration Example

Username <name> password <passwd> mschap
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
group - policy l2tp - ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
            dns-server value <dns_server>
            vpn-tunnel-protocol l2tp-ipsec
tunnel - group DefaultRAGroup general - attribute
             default - group - policy l2tp - ipsec_policy
            address-pool l2tp-ipsec_addresses
tunnel-group DefaultRAGroup ipsec-attributes
            pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
             no authentication pap
             authentication chap
            authentication ms-chap-v1
            authentication ms-chap-v2
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic - map dyno 10 set ikev1 transform - set my - transform - set - ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto is enable ikev1 enable outside
crypto ikev1 policy 10
            authentication pre-share
             encryption 3des
             hash sha
            group 2
            lifetime 86400

Verify

Use this section to confirm that your configuration works properly.

This procedure is describes describe how to set up the connection :

  1. open the menu , and choose setting .
  2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.)
  3. Select the VPN configuration from the list.
  4. Enter your username and password.
  5. Select Remember username.
  6. Select Connect.

This procedure is describes describe how to disconnect :

  1. open the menu , and choose setting .
  2. Select Wireless and Network or Wireless Controls. (The available option depends on your version of Android.)
  3. Select the VPN configuration from the list.
  4. Select Disconnect .

Use these commands in order to confirm that your connection works properly.

  • show run crypto isakmp – For ASA version 8.2.5
  • show run crypto ikev1 – For ASA version 8.3.2.12 or later
  • show vpn – sessiondb is show ra – ikev1 – ipsec – For ASA version 8.3.2.12 or later
  • show vpn-sessiondb remote – For ASA version 8.2.5

Note: The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Known Caveats

  • Cisco bug ID CSCtq21535, “ASA traceback when connecting with Android L2TP/IPsec client”
  • Cisco bug ID CSCtj57256, “L2TP/IPSec connection from Android doesn’t establish to the ASA55xx”
  • Cisco bug ID CSCtw58945 is fail , ” L2TP is fail over IPSec connection fail with ldap authorization and mschapv2 “

Related Information