The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.
In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.
I am running a Cisco ASA 5505 with version 9.2(4). The Android smartphone is a Samsung Galaxy S4 Mini with Android 4.4.2.
Cisco ASA Config
The configuration steps on the ASA are mostly the same as for a classical VPN-Client connection profile:
Or the appropriate CLI commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
ip local pool Pool_192.168.133.0 192.168.133.10-192.168.133.99 mask 255.255.255.0 ! crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac ! crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 28800 ! group-policy MainVPN internal group-policy MainVPN attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ikev1 ssl-client default-domain value webernetz.net ! tunnel-group MainVPN type remote-access tunnel-group MainVPN general-attributes address-pool Pool_192.168.133.0 default-group-policy MainVPN tunnel-group MainVPN ipsec-attributes ikev1 pre-shared-key ***** |
Android IPsec PSK
This is how the VPN connection must be configured:
ASA Logs
After a connection establishment, the VPN session details on the ASA show details:
And, of course, via the CLI:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
fd-wv-fw03# show vpn-sessiondb ra-ikev1-ipsec Session Type: IKEv1 IPsec Username : weberjoh Index : 233 Assigned IP : 192.168.133.10 Public IP : 194.29.191.227 Protocol : IKEv1 IPsecOverNatT License : Other VPN Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 Bytes Tx : 138957 Bytes Rx : 483030 Group Policy : MainVPN Tunnel Group : MainVPN Login Time : 15:46:24 CEST Mon Oct 26 2015 Duration : 0h:14m:20s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a88201000e9000562e3cc0 Security Grp : none |
Featured image “Androids” by etnyk is licensed under CC BY-NC-ND 2.0.
hi sir
as you post your configuration above mention .I have configuration to same.but i m not access ipsec xauth .i have cisco asa 5520 with ios 8.2.please send me configuration of 8.2 ios.I have configured below mention
Asa:-
ip local pool abc 117.55.240.35-117.55.240.40 mask 255.255.255.192
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
group-policy MainVPN internal
group-policy MainVPN attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc
default-domain value cjnet4u.com
tunnel-group WEBVPN type remote-access
tunnel-group WEBVPN general-attributes
address-pool abc
default-group-policy MainVPN
tunnel-group WEBVPN ipsec-attributes
pre-shared-key *****
Yes it is good but pretty expensive. I found this blog { https://www.purevpn.com/blog/remote-access-vpn/ } regarding secure remote access vpn and their services cost are reasonable.
Hi,
Great information! It works with android devices using native VPN “IPSec Xauth PSK”, but I’m not sure how to implement it with “Always on VPN”