How to configure L2TP/IPSec on CISCO or Android ClientsApps / OneVpn / how-to / servers / Android-2-L2TP-IPSec-on-Cisco
Note, the following is copied from CISCO Support forums and is provided by a user, here's the link
I only put it here in case the original disappears. If you are the author please let us know if you wish to add any link, or copyright to you. Here's a link to the author
- Jan 28, 2011 7:38 AM in response to: Bim Bamas Re: VPN Client for Android
Here is the first part, which is all about certificates.
Latest version of OpenSSL tools can be found from Shining Light Productions web site:
Download the full version for correct architecture, together with Visual C++ 2008 Redistributable package, and install both. Install OpenSSL to directory without any spaces in the path, e.g. C:appsOpenSSL. Select The Windows system directory when the installer queries about the installation location for OpenSSL DLLs. After installation, add the bin-directory of OpenSSL to the PATH-variable.
A Cisco ASA SW version 8.3(2).12 is needed. Without the correct version of the software, VPN connections from devices which are not behind a NAT device are unsuccessful. The exact symptom is that IPSec tunnel opens, but L2TP protocol exchange is not initiated correctly, thus leaving the tunnel unusable for such devices. For NATted devices the connections are successful also with standard ASA operating system version. It is probably necessary to have a valid support contract with Cisco to gain this software. Contact Cisco support with valid support ID.
md C:\apps\OpenSSL\CA cd C:\apps\OpenSSL\CA
2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out CA_key.pem -des3 2048
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem
To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US State = TX Locality = Dallas Organization = Some Company Organizational Unit = Some Unit Common Name = IamTheCA Email Address = <leave empty>
4. Contents of the certificate can be checked as follows. At this point, CA is ready to start signing certificate requests from clients.
openssl x509 -in CA_crt.pem -noout -text
1. Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
openssl genrsa -out client_key.pem -des3 2048
openssl req -new -key client_key.pem -out client_csr.pem
To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US State = TX Locality = Dallas Organization = Some Company Organizational Unit = IT Support Common Name = AndroidClient Email Address = <leave empty>
Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "IT Support" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair. Note that CAcreateserial -option does not need to be used on successive signing of certificate requests. It's only needed on the first time to initialize the sequence number file.
openssl x509 -in client_crt.pem -noout -text
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem
Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.
Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.
Click Install Certificate.
- In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.
- Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "asagw" there.
- Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem".
openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair.
openssl x509 -in server_crt.pem -noout -text
In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
Browse for the signed certificate file, and click Install Certificate.
Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate.
Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):
sh run crypto
In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:
crypto ca certificate chain OpenSLL_Trustpoint certificate ca
quit crypto ca certificate chain Temporary_trustpoint certificate quit
Copy the certificate in the temporary trustpoint to the clipboard, starting from the line beginning with word "certificate" and ending to the line starting with "quit".
Enter the configuration mode (command "conf ter") and modify the real trustpoint (named OpenSSL_Trustpoint in this example):
crypto ca certificate chain OpenSLL_Trustpoint
Paste the certificate copied to the clipboard in step 4. Execute command "exit" to exit trustpoint configuration.
Remove the identity certificate from the temporary trustpoint:
crypto ca certificate chain Temporary_trustpoint no certificate
Remove the temporary trustpoint:
no crypto ca trustpoint Temporary_trustpoint
At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain OpenSLL_Trustpoint certificate
quit certificate ca quit
- Save config (exit, write memory). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.
- Jan 28, 2011 7:30 AM in response to: Petteri Heinonen Re: VPN Client for Android And here is the config I am using. Note that some password, IPs, certificates have been removed, so this cannot be copy-pasted to an ASA as such.
ASA Version 8.3(2)12 ! hostname asagw domain-name somedomain.com enable password xxxxxxxx encrypted passwd xxxxxxxx encrypted names dns-guard ! interface Ethernet0/0 nameif WAN security-level 0 ip address 184.108.40.206 255.255.255.224 ! interface Ethernet0/1 nameif LAN security-level 10 ip address 10.0.0.1 255.255.0.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa832-12-k8.bin ftp mode passive clock timezone EEST 2 clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00 dns server-group DefaultDNS domain-name somedomain.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network LAN-network subnet 10.0.0.0 255.255.0.0 description LAN network / 16 object network RA-VPN-network subnet 10.60.0.0 255.255.255.0 no pager logging enable logging asdm informational mtu WAN 1500 mtu LAN 1500 mtu management 1500 ip local pool android_vpn_pool 10.60.0.1-10.60.0.254 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-635.bin no asdm history enable arp timeout 14400 nat (LAN,WAN) source static LAN-network LAN-network destination static RA-VPN-network RA-VPN-network nat (WAN,WAN) source dynamic RA-VPN-network interface nat (LAN,WAN) source dynamic LAN-network interface route WAN 0.0.0.0 0.0.0.0 220.127.116.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication http console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.0.0.0 255.255.0.0 LAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANSP mode transport crypto ipsec transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANSP mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map WAN_dyn_map 65535 set transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map crypto map WAN_map interface WAN crypto ca trustpoint OpenSSL_Trustpoint enrollment terminal crl configure crypto ca certificate chain OpenSSL_Trustpoint certificate
quit certificate ca quit crypto isakmp enable WAN crypto isakmp policy 20 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 3600 telnet timeout 5 ssh 10.0.0.0 255.255.0.0 LAN ssh 192.168.1.0 255.255.255.0 management ssh timeout 60 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 18.104.22.168 source WAN prefer ntp server 22.214.171.124 source WAN webvpn group-policy "IT Support" internal group-policy "IT Support" attributes dns-server value 126.96.36.199, 188.8.131.52 vpn-tunnel-protocol IPSec l2tp-ipsec username androiduser password xxxxxxxx nt-encrypted username androiduser attributes service-type remote-access tunnel-group "IT Support" type remote-access tunnel-group "IT Support" general-attributes address-pool android_vpn_pool default-group-policy "IT Support" tunnel-group "IT Support" ipsec-attributes peer-id-validate nocheck trust-point OpenSSL_Trustpoint isakmp keepalive disable tunnel-group "IT Support" ppp-attributes authentication pap no authentication chap authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:01757bd290ed81bbaa7f9bf432e3024c : end
- Jan 28, 2011 10:39 AM in response to: Petteri Heinonen Re: VPN Client for Android As last part, a short checklist about all the locations that need some configuration in ASDM:
Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. See details in the config example above.
A specific IKE Policy is needed. Configure a policy with these values: Encryption: 3DES Hash: SHA Authentication: rsa-sig D-H Group: 2
Check that IKE is enabled on WAN interface, and that NAT-T is enabled.
Create a dynamic crypto map with priority 65535. Make sure that NAT-T is enabled on Advanced tab. Do not enable Perfect Forwarding Security. If there is a need to connect to this same VPN connection with pure IPSec (i.e. non-L2TP) client, then some tunnel mode transform sets must be added also. This is beneficial if for example Shrew VPN client is used for testing the setup.
Make sure to check "User authenticated using MSCHAP" for the user.
Nothing special here, just create a pool for client to get addresses.
Under More Options, enable only L2TP/IPSec tunneling protocol. If there is a need to connect with a pure IPSec client (such as Shrew VPN) enable also IPSec. In the Servers, configure DNS Servers to be used by the clients. All other values can be left as "Inherit".
- Give a descriptive name for the VPN connection. Remember that the connection name must match the OU field in the DN of client certificates.
- Do not configure any Pre-shared key. Instead, select the correct certificate in the Identity Certificate field.
- Select LOCAL as Server Group under User Authentication.
- Select correct Client Address Pool.
- Select the correct Group Policy, created in the previous section.
- Select Enable L2TP over IPSec protocol. If there is a need to connect with pure IPSec clients as well, enable also IPSec protocol.
- Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
- Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
- Under Advanced - PPP, select only MS-CHAP-V1, MS-CHAP-V2 and PAP.
NAT exempt rules are needed so that traffic between the VPN clients and internal/LAN -network are not NATted. This is part of basic remote access configuration, and is not explained in more detail here.