Configure a Cisco ASA with Android native VPN with Active Directory Authentication

Published:
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I didn't quite grasp. After some tweaking, I believe I have succeeded.

As of now, I have my HTC incredible 2.2 and a Samsung Infuse successfully connecting. I have an Archos 101 that is giving me fits, but think it is issues with the device itself.

Before you start modifying your config, know that the ASA must have IOS version 8.4.1 and Android must have 2.1 according to Cisco's knowledgebase. The catch is some ASA's didn't ship with 512mb of memory needed to upgrade the IOS out of the box.

Also, if you have any port forwarding set on your main outside IP address, this will cause it to stop working. This is because of the no NAT statement for the VPN. You have two choices. You can remove the line:

nat (outside,outside) source dynamic [name your VPN LAN] interface

Which will cause VPN clients to not be able to access the Internet while VPN'd? Or, you can move your port forwarding objects to another IP.

We are using an ASA 5505.

Also, to do Active directory integration, which is highly recommended, you will need some sort of RADIUS server, we are using NPS which is included with Windows Server 2008. Setup of an NPS server is different subject, but fairly easy and intuitive.

In the config below, I have taken most of the default ASA commands out for readability. You replace what is in the [ ] with YOUR info. I put a * at the end of lines for examples and explanations. DO NOT PUT IN STUFF AFTER THE *!

On to the config!


ASA Version 8.4(1) *You do have the correct version, right?
!
hostname [your asa hostname] *Example: MainASA
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address [your local asa ip address] 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address [your OUTSIDE ip address] [outside subnetmask]
!
interface Ethernet0/0
 switchport access vlan 2
!
boot system disk0:/asa841-k8.bin *Make sure you are booting 8.4.1!
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network [name your lan1] *Example: MainLAN
 subnet [lan1 subnet and mask] *Example: 192.168.1.0 255.255.255.0
object network [name your lan2] *Optional statement if you have more than 1 lan you wish to communicate with
 subnet [lan2 subnet and mask]
object network [name your lan3]
 subnet [lan3 subnet and mask]
object network [name your VPN LAN] *Example: VPN_NET
 subnet [VPN LAN subnet and mask] Example: 172.16.30.0 255.255.255.0
object-group network [name your group of lans] Example: LANS
 network-object object [name your lan1]
 network-object object [name your lan2]
 network-object object [name your lan3]
ip local pool [name of your VPN IP address pool] [IP Pool Range] mask [pool mask] *Example: GroupPool Example: 172.16.30.5-172.16.30.200 Example: 255.255.255.0
nat (inside,outside) source static [name your group of lans] [name your group of lans] destination static [name your VPN LAN] [name your VPN LAN] *Example: LANS LANS Example: VPN_NET VPN_NET - NEW WAY OF DOING NONAT
nat (outside,outside) source dynamic [name your VPN LAN] interface
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 [your isp gateway] 1 *Example: 199.10.199.10
route inside [lan1 ip subnet and mask] [lan1 gateway to internal network] 1 *Example: 10.0.0.0 255.0.0.0 10.61.0.1
route inside [lan2 ip subnet and mask] [lan2 gateway to internal network] 1 *Optional routes for more networks
route inside [lan3 ip subnet and mask] [lan3 gateway to internal network] 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server [name your RADIUS server] protocol radius *Example: MainRAD
aaa-server [name your RADIUS server](inside) host [ip of your RADIUS server] *Example: 10.1.2.1
 key [radius key] *Example: secretsquirrel
crypto ipsec ikev1 transform-set TRANS_ESP esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_ esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_ mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp nat-traversal 21
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value [ip of your internal DNS server] *Example: 10.1.2.5
 vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool [name of your VPN IP address pool] *Example: GroupPool
 authentication-server-group [name your RADIUS server] *Example: MainRAD
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key [client pre-shared key] *Example: vpnpassword
!


On your Android device, go to settings, wireless and networks, VPN settings, and Add VPN.

Add L2TP/IPSec PSK VPN

VPN name is for you to name, it can be anything
Set VPN Server is your outside IP address
Set IPSec PSK is the [client pre-shared key] you set in you ASA config
Do not Enable secret
You do not need to set DNS search domains

Happy VPN'ing!

Let me know if this has worked for you and what make / model / software version you are using.

Jeremy
1
8,928 Views

Comments (2)

fgasimzadeHead of IT for Silk Way West Airlines
CERTIFIED EXPERT
Top Expert 2011

Commented:
Hello ZTrek7!

I have ASA 8.2.3 running and I managed to configure VPN on Android (Galaxy S3)

However, there is problem I can not solve

When I use TACACS+ server for authentication, I can successfully connect

If I use RADIUS, it fails to connect from Android, but successfully connects from any other Windows machine

I can see Phase 2 completed message in debugs, but the phone still shows Connecting status for a while, and then stops with Unsuccessful message

Have you got any ideas about that? Is it possible that Android does not support RADIUS?
Did not work

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.