The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.
In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.
I am running a Cisco ASA 5505 with version 9.2(4). The Android smartphone is a Samsung Galaxy S4 Mini with Android 4.4.2.
Cisco ASA Config
The configuration steps on the ASA are mostly the same as for a classical VPN-Client connection profile:
Or the appropriate CLI commands:
ip local pool Pool_192.168.133.0 192.168.133.10-192.168.133.99 mask 255.255.255.0 ! crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac ! crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 28800 ! group-policy MainVPN internal group-policy MainVPN attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ikev1 ssl-client default-domain value webernetz.net ! tunnel-group MainVPN type remote-access tunnel-group MainVPN general-attributes address-pool Pool_192.168.133.0 default-group-policy MainVPN tunnel-group MainVPN ipsec-attributes ikev1 pre-shared-key *****
Android IPsec PSK
This is how the VPN connection must be configured:
ASA Logs
After a connection establishment, the VPN session details on the ASA show details:
And, of course, via the CLI:
fd-wv-fw03# show vpn-sessiondb ra-ikev1-ipsec Session Type: IKEv1 IPsec Username : weberjoh Index : 233 Assigned IP : 192.168.133.10 Public IP : 194.29.191.227 Protocol : IKEv1 IPsecOverNatT License : Other VPN Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 Bytes Tx : 138957 Bytes Rx : 483030 Group Policy : MainVPN Tunnel Group : MainVPN Login Time : 15:46:24 CEST Mon Oct 26 2015 Duration : 0h:14m:20s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a88201000e9000562e3cc0 Security Grp : none