How to configure L2TP/IPSec on CISCO or Android Clients

Note, the following is copied from CISCO Support forums and is provided by a user, here's the link

I only put it here in case the original disappears. If you are the author please let us know if you wish to add any link, or copyright to you. Here's a link to the author

Certificates for Server and Clients

1. Jan 28, 2011 7:38 AM in response to: Bim Bamas Re: VPN Client for Android

Here is the first part, which is all about certificates.

1 Prerequisites

1.1 OpenSSL

Latest version of OpenSSL tools can be found from Shining Light Productions web site:

http://www.slproweb.com/products/Win32OpenSSL.html.

Download the full version for correct architecture, together with Visual C++ 2008 Redistributable package, and install both. Install OpenSSL to directory without any spaces in the path, e.g. C:appsOpenSSL. Select The Windows system directory when the installer queries about the installation location for OpenSSL DLLs. After installation, add the bin-directory of OpenSSL to the PATH-variable.

1.2 Cisco ASA Software Version

A Cisco ASA SW version 8.3(2).12 is needed. Without the correct version of the software, VPN connections from devices which are not behind a NAT device are unsuccessful. The exact symptom is that IPSec tunnel opens, but L2TP protocol exchange is not initiated correctly, thus leaving the tunnel unusable for such devices. For NATted devices the connections are successful also with standard ASA operating system version. It is probably necessary to have a valid support contract with Cisco to gain this software. Contact Cisco support with valid support ID.

2 Create and Install Certificates

2.1 Create a Certificate Authority

1. Create a separate directory for CA and all related files, and change to that directory.

md C:\apps\OpenSSL\CA
cd C:\apps\OpenSSL\CA

2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.

openssl genrsa -out CA_key.pem -des3 2048

3. Create a self-signed certificate for the CA.

openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem

To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = Some Unit
Common Name = IamTheCA
Email Address = <leave empty>

4. Contents of the certificate can be checked as follows. At this point, CA is ready to start signing certificate requests from clients.

openssl x509 -in CA_crt.pem -noout -text

2.2 Create a Client Certificate Request

1. Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.

openssl genrsa -out client_key.pem -des3 2048

2. Create a certificate request for a client certificate.

openssl req -new -key client_key.pem -out client_csr.pem

To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Dallas
Organization = Some Company
Organizational Unit = IT Support
Common Name = AndroidClient
Email Address = <leave empty>

Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "IT Support" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.

2.3 Sign the Client Certificate Using the CA

1. To sign the client's certificate request using the CA's key, use the following command:

openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair. Note that CAcreateserial -option does not need to be used on successive signing of certificate requests. It's only needed on the first time to initialize the sequence number file.

2. Contents of the clients certificate can be checked as follows:

openssl x509 -in client_crt.pem -noout -text

openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem

2.4 Import the CA Certificate to Cisco ASA

1. Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.

2. Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.

3. Click Install Certificate.

2.5 Create a Server Certificate Request

1. In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.
2. Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "asagw" there.
3. Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem".

2.6 Sign the Server Certificate Request Using the CA

1. To sign the server's certificate request using the CA's key, use the following command:

openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq

CA's key file's password is needed, give the password originally used when creating the CA's key pair.

2. Contents of the certificate can be checked as follows:

openssl x509 -in server_crt.pem -noout -text

2.7 Install the Server Certificate in Cisco ASA

1. In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.

2. Browse for the signed certificate file, and click Install Certificate.

3. Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate.

Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):

sh run crypto

In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:

crypto ca certificate chain OpenSLL_Trustpoint
certificate ca 
    
  quit
crypto ca certificate chain Temporary_trustpoint
certificate 
    
  quit

1. Copy the certificate in the temporary trustpoint to the clipboard, starting from the line beginning with word "certificate" and ending to the line starting with "quit".

2. Enter the configuration mode (command "conf ter") and modify the real trustpoint (named OpenSSL_Trustpoint in this example):

   crypto ca certificate chain OpenSLL_Trustpoint

3. Paste the certificate copied to the clipboard in step 4. Execute command "exit" to exit trustpoint configuration.

4. Remove the identity certificate from the temporary trustpoint:

   crypto ca certificate chain Temporary_trustpoint no certificate exit

5. Remove the temporary trustpoint:

   no crypto ca trustpoint Temporary_trustpoint

6. At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):

crypto ca certificate chain OpenSLL_Trustpoint
certificate 
    
  quit
certificate ca 
   
   quit

1. Save config (exit, write memory). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.

Server configuration

1. Jan 28, 2011 7:30 AM in response to: Petteri Heinonen Re: VPN Client for Android And here is the config I am using. Note that some password, IPs, certificates have been removed, so this cannot be copy-pasted to an ASA as such.

   

ASA Version 8.3(2)12
   !
   hostname asagw
   domain-name somedomain.com
   enable password xxxxxxxx encrypted
   passwd xxxxxxxx encrypted
   names
   dns-guard
   !
   interface Ethernet0/0
   nameif WAN
   security-level 0
   ip address 11.12.13.14 255.255.255.224
   !
   interface Ethernet0/1
   nameif LAN
   security-level 10
   ip address 10.0.0.1 255.255.0.0
   !
   interface Ethernet0/2
   shutdown
   no nameif
   no security-level
   no ip address
   !
   interface Ethernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
   !
   interface Management0/0
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0
   management-only
   !
   boot system disk0:/asa832-12-k8.bin
   ftp mode passive
   clock timezone EEST 2
   clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
   dns server-group DefaultDNS
   domain-name somedomain.com
   same-security-traffic permit inter-interface
   same-security-traffic permit intra-interface
   object network LAN-network
   subnet 10.0.0.0 255.255.0.0
   description LAN network / 16
   object network RA-VPN-network
   subnet 10.60.0.0 255.255.255.0
   no pager
   logging enable
   logging asdm informational
   mtu WAN 1500
   mtu LAN 1500
   mtu management 1500
   ip local pool android_vpn_pool 10.60.0.1-10.60.0.254 mask 255.255.255.0
   icmp unreachable rate-limit 1 burst-size 1
   asdm image disk0:/asdm-635.bin
   no asdm history enable
   arp timeout 14400
   nat (LAN,WAN) source static LAN-network LAN-network destination static RA-VPN-network RA-VPN-network
   nat (WAN,WAN) source dynamic RA-VPN-network interface
   nat (LAN,WAN) source dynamic LAN-network interface
   route WAN 0.0.0.0 0.0.0.0 11.12.13.13 1
   timeout xlate 3:00:00
   timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
   timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
   timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
   timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
   timeout tcp-proxy-reassembly 0:01:00
   timeout floating-conn 0:00:00
   dynamic-access-policy-record DfltAccessPolicy
   aaa authentication ssh console LOCAL
   aaa authentication telnet console LOCAL
   aaa authentication http console LOCAL
   http server enable
   http 192.168.1.0 255.255.255.0 management
   http 10.0.0.0 255.255.0.0 LAN
   no snmp-server location
   no snmp-server contact
   snmp-server enable traps snmp authentication linkup linkdown coldstart
   crypto ipsec transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
   crypto ipsec transform-set ESP-AES-128-SHA-TRANSP mode transport
   crypto ipsec transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
   crypto ipsec transform-set ESP-3DES-SHA-TRANSP mode transport
   crypto ipsec security-association lifetime seconds 28800
   crypto ipsec security-association lifetime kilobytes 4608000
   crypto dynamic-map WAN_dyn_map 65535 set transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
   crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
   crypto map WAN_map interface WAN
   crypto ca trustpoint OpenSSL_Trustpoint
   enrollment terminal
   crl configure
   crypto ca certificate chain OpenSSL_Trustpoint
   certificate 
       
     quit
   certificate ca 
       
     quit
   crypto isakmp enable WAN
   crypto isakmp policy 20
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
   crypto isakmp nat-traversal 3600
   telnet timeout 5
   ssh 10.0.0.0 255.255.0.0 LAN
   ssh 192.168.1.0 255.255.255.0 management
   ssh timeout 60
   console timeout 0
   dhcpd address 192.168.1.2-192.168.1.254 management
   dhcpd enable management
   !
   threat-detection basic-threat
   threat-detection statistics access-list
   no threat-detection statistics tcp-intercept
   ntp server 46.183.73.2 source WAN prefer
   ntp server 81.22.244.161 source WAN
   webvpn
   group-policy "IT Support" internal
   group-policy "IT Support" attributes
   dns-server value 4.5.6.7, 8.9.10.11
   vpn-tunnel-protocol IPSec l2tp-ipsec
   username androiduser password xxxxxxxx nt-encrypted
   username androiduser attributes
   service-type remote-access
   tunnel-group "IT Support" type remote-access
   tunnel-group "IT Support" general-attributes
   address-pool android_vpn_pool
   default-group-policy "IT Support"
   tunnel-group "IT Support" ipsec-attributes
   peer-id-validate nocheck
   trust-point OpenSSL_Trustpoint
   isakmp keepalive disable
   tunnel-group "IT Support" ppp-attributes
   authentication pap
   no authentication chap
   authentication ms-chap-v2
   !
   class-map inspection_default
   match default-inspection-traffic
   !
   !
   policy-map type inspect dns preset_dns_map
   parameters
     message-length maximum client auto
     message-length maximum 512
   policy-map global_policy
   class inspection_default
     inspect dns preset_dns_map
     inspect ftp
     inspect h323 h225
     inspect h323 ras
     inspect rsh
     inspect rtsp
     inspect esmtp
     inspect sqlnet
     inspect skinny
     inspect sunrpc
     inspect xdmcp
     inspect sip
     inspect netbios
     inspect tftp
     inspect ip-options
     inspect icmp
   !
   service-policy global_policy global
   prompt hostname context
   Cryptochecksum:01757bd290ed81bbaa7f9bf432e3024c
   : end


   

Check list

1. Jan 28, 2011 10:39 AM in response to: Petteri Heinonen Re: VPN Client for Android As last part, a short checklist about all the locations that need some configuration in ASDM:

Create IPSec Transform sets

Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. See details in the config example above.

Create IKE Policy

A specific IKE Policy is needed. Configure a policy with these values: Encryption: 3DES Hash: SHA Authentication: rsa-sig D-H Group: 2

Check IKE Parameters

Check that IKE is enabled on WAN interface, and that NAT-T is enabled.

Configure the Crypto MAP

Create a dynamic crypto map with priority 65535. Make sure that NAT-T is enabled on Advanced tab. Do not enable Perfect Forwarding Security. If there is a need to connect to this same VPN connection with pure IPSec (i.e. non-L2TP) client, then some tunnel mode transform sets must be added also. This is beneficial if for example Shrew VPN client is used for testing the setup.

Add a local user

Make sure to check "User authenticated using MSCHAP" for the user.

Create an address pool

Nothing special here, just create a pool for client to get addresses.

Create VPN Group Policy

Under More Options, enable only L2TP/IPSec tunneling protocol. If there is a need to connect with a pure IPSec client (such as Shrew VPN) enable also IPSec. In the Servers, configure DNS Servers to be used by the clients. All other values can be left as "Inherit".

Create IPSec Connection Profile

• Give a descriptive name for the VPN connection. Remember that the connection name must match the OU field in the DN of client certificates.
• Do not configure any Pre-shared key. Instead, select the correct certificate in the Identity Certificate field.
• Select LOCAL as Server Group under User Authentication.
• Select correct Client Address Pool.
• Select the correct Group Policy, created in the previous section.
• Select Enable L2TP over IPSec protocol. If there is a need to connect with pure IPSec clients as well, enable also IPSec protocol.
• Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
• Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
• Under Advanced - PPP, select only MS-CHAP-V1, MS-CHAP-V2 and PAP.

Add NAT exempt rules

NAT exempt rules are needed so that traffic between the VPN clients and internal/LAN -network are not NATted. This is part of basic remote access configuration, and is not explained in more detail here.