asa remote-access vpn with android

Document Sample
asa remote-access vpn with android Powered By Docstoc
					asa remote-access vpn with android


          Patrik Spiess 29 posts since
Oct 7, 2009
Did anyone successfully manage to establish a remote-access vpn connection from an
android device (e.g. HTC Desire) to a cisco asa 5520?

The connection should be safe (encrypted) and the authentication has to be made with a
RADIUS-Server.



I did not find any useful information on how to configure my asa to support android devices.

Unfortunately android is not listed in ciscos supported vpn platform document.



Thanks for any help

Patrik

Tags: vpn, asa, android


         Marcin Latosiewicz 400 posts since
Jan 3, 2008 1. Re: asa remote-access vpn with android Jun 29, 2010 10:57 AM

Patrik,




AFAIK Andorid is not supported and I don't see any plans ... apart from Anyconnect



If you're interested to put some sweat into this we can try to see what can be done
unofficially.

So first of all are we talking about webvpn or IPsec RA?




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            1
asa remote-access vpn with android


Marcin



         Patrik Spiess 29 posts since
Oct 7, 2009 2. Re: asa remote-access vpn with android Jul 1, 2010 7:52 AM

Hello Marcin,



Thanks for your reply. I know that it is not supported. But I search for a way to do it although
it's not officially suported.

My plans are to provide client-based remote vpn access to our ASA 5550. it doesn't matter
whether it is ipsec or ssl. I do not need any clientless vpn features.

The vpn connection has to be encrypted and authenticated through a RADIUS-Server.



All my Android users (just a few yet) would be very happy to be able to vpn into our
organization.




But don't hurry. I'll be away the next two weeks. So I will only be able to investigate that
further from July 19th on.




Thanks

Patrik



         Marcin Latosiewicz 400 posts since
Jan 3, 2008 3. Re: asa remote-access vpn with android Jul 1, 2010 8:07 AM

Patrik,




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            2
asa remote-access vpn with android




I believe something might be looming behind the horizon for Android.



I understand Cius is android based and has anyconnect on it. I have not went through any
data sheets for it but that's what one of my colleagues reported.



Marcin



          Laurentiu Zibula 2 posts since
Jul 8, 2010 4. Re: asa remote-access vpn with android Jul 8, 2010 5:41 AM

i did it with asa 5510 and android 2.1 ( samsung galaxy s i9000) but without radius, just local
auth



@marcin: post if you need config



         wiley-wes 4 posts since
Feb 3, 2009 5. Re: asa remote-access vpn with android Jul 8, 2010 2:16 PM

Would love to see config for this!



         Marcin Latosiewicz 400 posts since
Jan 3, 2008 6. Re: asa remote-access vpn with android Jul 8, 2010 2:58 PM



Laurentiu,




Please do post the config I think everyone would be interested




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            3
asa remote-access vpn with android


Marcin



          Laurentiu Zibula 2 posts since
Jul 8, 2010 7. Re: asa remote-access vpn with android Jul 11, 2010 11:30 PM

I used CISCO ASDM 6.1 to configure the ASA

1. on the ASA:
- Configuration -> Remote Access VPN -> AAA/Local Users -> Local Users ->add a new
user, set a password, all settings default (inherit)

- Configuration -> Remote Access VPN -> Network (Client) Access -> Address Asignement -
> Address Pools ->
add a new Address Pool "mobile_ip_pool"

- Configuration -> Remote Access VPN -> Network (Client) Access -> Group Policies -> add
a new policy
General -> Tunneling Protocols -> mark "IPSec" and "L2TP/IPSec"
all other settings "inherit"

- Configuration -> Remote Access VPN -> Network (Client) Access -> IPSec Connection
Profiles
edit the "DefaultRAGroup" (this is the only group that the android will use)
Basic ->IKE Peer Auth -> Pre-Shared Key: -> set a pre-shared key "12345678"
User Auth -> Server Group -> Local
Client Address Assignement -> Client Address Pools -> "mobile_ip_pool"
Default Group Policy -> Group Policy -> "mobile_gp"
Enable IPSec Protocol -> yes
Enable L2TP over IPSec Protocol -> yes

2. on the android 2.1 ( Samsung galaxy s i9000 )

- create a new VPN -> L2TP/IPSec PSK-VPN
VPN-Server= outside Ip-Add. of the ASA
IPSec Preshares Key -> "12345678"




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            4
asa remote-access vpn with android


DONE -> CONNECT

and now some cli:



ASA Version 8.0(3)6
!
hostname ASA-A-01
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 212.204.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.xx.xx 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz_server
security-level 60
ip address 192.168.xx.xx 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif bybn
security-level 50


Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            5
asa remote-access vpn with android



ip address 192.168.xx.xx 255.255.255.0

boot system disk0:/asa803-6-k8.bin
ftp mode passive
clock timezone MEZ 1
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz_server
dns domain-lookup bybn
.
.
dns server-group Internet
name-server 212.114.152.1
name-server 212.114.153.1
dns-group Internet
.
.
.
access-list outside_access_in extended permit esp any host 212.204.xx.xx
access-list outside_access_in extended permit udp any host 212.204.xx.xx eq isakmp
access-list outside_access_in extended permit udp any host 212.204.xx.xx eq 4500
.
.
tcp-map MSS-EXCEEDED
    exceed-mss allow
!
mtu outside 1500
mtu inside 1500
mtu dmz_server 1500
mtu bybn 1500
.



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            6
asa remote-access vpn with android


.
ip local pool Mobile_ip_pool 192.168.xx.xx-192.168.xx.xx mask 255.255.255.0
.
.
.
crypto dynamic-map DYNMAP 100 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
TRANS_ESP_3DES_SHA
.
.
crypto map outside_map 65535 ipsec-isakmp dynamic DYNMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp
.
.
.
tunnel-group-list enable
group-policy DEFAULT-REMOTE internal
group-policy DEFAULT-REMOTE attributes
wins-server value 10.92.40.100



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            7
asa remote-access vpn with android


dns-server value 10.92.40.100
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
.
.
group-policy mobile_gp internal
group-policy mobile_gp attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
.
.
username XXXXXX password uKx2Yoi0e27wmeKUOS47jQ== nt-encrypted privilege 15
.
.
tunnel-group DefaultRAGroup general-attributes
address-pool Mobile_ip_pool
default-group-policy mobile_gp
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy!
.
.
!
: end
ASA-A-01#




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            8
asa remote-access vpn with android




some debug was necessary: debug crypto isakmp. debug crypto ipsec

GOOD LUCK




PS split tunnel and server values in the group policy are optional



         Marcin Latosiewicz 400 posts since
Jan 3, 2008 8. Re: asa remote-access vpn with android Jul 9, 2010 3:14 AM


Laurentiu,

Good stuff!

What I would suggest is for you to put that information in form of a document here on the forums.
I think this will be increasingly popular and may save other people a lot of searching.

Everyone else, have you had a chance to try that/similar config? Any comments?

Marcin




          bcs-cisco 2 posts since
Jul 11, 2010 9. Re: asa remote-access vpn with android Jul 11, 2010 7:39 AM

Thanks for the information, however, I have several concerns with this config:



1. By editing the DefaultRAGroup, you effectively bypass XAUTH group level authentication
which lessens your ASA device's ability to protect your network.



2. By editing the DefaultRAGroup, all other secure tunnels defined from it (inherited) are
downgraded to just the PSK-level security.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            9
asa remote-access vpn with android


3. When will the Cisco AnyConnect Mobile product for Android that currently runs on the
Cius be available for download for Maintenance contract holders?



Thanks



          Stefan Lemming 2 posts since
Jul 14, 2010 10. Re: asa remote-access vpn with android Jul 14, 2010 6:55 AM

I tried using Laurentiu's config on an ASA5510 connecting with a HTC Desire.

The tunnel is working when I try it on a laptop but the Desire won't connect. ISAKMP debug
gives the following:

Jul 14 10:12:15 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct
&0xac0fc6b8, mess id 0xf18c67b!
Jul 14 10:12:15 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from
correlator table failed, no match!



According to this the problem is that the dynamic-map's sequence number is lower than the
static ones but I have checked this in my config. And since the tunnel works with a laptop
using the Cisco VPN-client I don't think this actually is the problem.



Any ideas?



         wiley-wes 4 posts since
Feb 3, 2009 11. Re: asa remote-access vpn with android Jul 14, 2010 6:57 AM

Stefan, I have the same issue. Cannot seem to figure it out.



         Marcin Latosiewicz 400 posts since
Jan 3, 2008 12. Re: asa remote-access vpn with android Jul 14, 2010 7:01 AM

Guys,




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           10
asa remote-access vpn with android




Please attach

"show run crypto"

"show run tunnel-group"

"show run group-policy"

and debug crypto isa 127, debug crypto ipsec 100 outputs.



Let's have a look.



Marcin



          Stefan Lemming 2 posts since
Jul 14, 2010 13. Re: asa remote-access vpn with android Jul 19, 2010 1:19 AM

Marcin,



Sorry for the delayed reply.

For testing purposes I moved my config to an ASA 5505 with no prior configuration. This unit
is only setup with the basic configuration e.g. IP-addresses, DCHP-leases and the Remote
access configuration supplied by Laurentiu.



I have attached the command output as per your request.



Stefan

Attachments:
      • debug_crypto_ipsec_100.txt.zip (975 bytes)
      • debug_crypto_isa_127.txt.zip (1.9 K)



Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           11
asa remote-access vpn with android


      • show_run_crypto_tunnel_group.txt.zip (623 bytes)




          bcs-cisco 2 posts since
Jul 11, 2010 14. Re: asa remote-access vpn with android Jul 19, 2010 7:18 AM

This is how you can setup a fully encrypted VPN tunnel from your HTC Incredible
to your ASA 5510. The nice thing about this method is you do not need to put
a custom ROM on your phone, simply replace the kernel and install a client.

1. Install UnRevoked3 http://unrevoked.com/recovery/ to root your Incredible.
2. Install ROM Manager and Titanium Backup from the Market (Titanium Backup
  will get you a good install of BusyBox if you do not already have it).
3. Go to http://incredibleroms.com/kernels/ to get the latest hydra kernel.
  The latest v7 kernels have the tun.ko tunnel module built-in which has been
  the source of all the problems in getting the VPN Connections program
  running correctly. If site down search for hydra_ocuv_n_v07_signed.zip
4. Use ROM Manager to install new kernel and reboot into it.
5. Install the latest version of VPN Connections from the market or directly
  from http://code.google.com/p/get-a-robot-vpnc/.
6. Create a new connection to your ASA in VPN Connections with all the
  appropriate group information (IPSEC info).
7. If your ASA is configured correctly, you should be able to long press the
  new connection to get right in.
8. Use your normal Internet tools (ssh, rdp, etc) on your internal network.



HTH




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                           12

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:1831
posted:1/8/2011
language:English
pages:12