Cisco ASA Remote Access VPN for Android

The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.

In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.

I am running a Cisco ASA 5505 with version 9.2(4). The Android smartphone is a Samsung Galaxy S4 Mini with Android 4.4.2.

Cisco ASA Config

The configuration steps on the ASA are mostly the same as for a classical VPN-Client connection profile:

Or the appropriate CLI commands:

 

Android IPsec PSK

This is how the VPN connection must be configured:

ASA Logs

After a connection establishment, the VPN session details on the ASA show details:

Cisco ASA Session Details

And, of course, via the CLI:

Featured image “Androids” by etnyk is licensed under CC BY-NC-ND 2.0.

3 thoughts on “Cisco ASA Remote Access VPN for Android

  1. hi sir
    as you post your configuration above mention .I have configuration to same.but i m not access ipsec xauth .i have cisco asa 5520 with ios 8.2.please send me configuration of 8.2 ios.I have configured below mention

    Asa:-
    ip local pool abc 117.55.240.35-117.55.240.40 mask 255.255.255.192
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 28800
    group-policy MainVPN internal
    group-policy MainVPN attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc
    default-domain value cjnet4u.com

    tunnel-group WEBVPN type remote-access
    tunnel-group WEBVPN general-attributes
    address-pool abc
    default-group-policy MainVPN
    tunnel-group WEBVPN ipsec-attributes
    pre-shared-key *****

  2. Hi,
    Great information! It works with android devices using native VPN “IPSec Xauth PSK”, but I’m not sure how to implement it with “Always on VPN”

Leave a Reply

Your email address will not be published. Required fields are marked *