Quantcast
Channel: Network – Weberblog.net
Viewing all articles
Browse latest Browse all 253

Cisco ASA Remote Access VPN for Android

$
0
0
Android ASA VPN featured image

The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection is needed, this fits perfectly. It uses the classical IPsec protocol instead of the newer SSL version. However, the VPN tunnel works anyway.

In this short post I am showing the configuration steps on the ASA and on the Android phone in order to establish a remote access VPN tunnel.

I am running a Cisco ASA 5505 with version 9.2(4). The Android smartphone is a Samsung Galaxy S4 Mini with Android 4.4.2.

Cisco ASA Config

The configuration steps on the ASA are mostly the same as for a classical VPN-Client connection profile:

Group Poliy: Enable at least IPsec IKEv1. Choose DNS Servers. Connection Profile: Choose a PSK, an Address Pool, and select the Group Policy. NOTE: The name of this connection profile is the later on used "IPsec Identifier". Crypto Map: Delete all "DES" and "3DES" Proposals!!! Crypto Map 2nd screen. Crypto Map last screen. IKE Policies. Don't forget to enable IPsec on the outside interface.

Or the appropriate CLI commands:

ip local pool Pool_192.168.133.0 192.168.133.10-192.168.133.99 mask 255.255.255.0
!
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
!
group-policy MainVPN internal
group-policy MainVPN attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 ssl-client
 default-domain value webernetz.net
!
tunnel-group MainVPN type remote-access
tunnel-group MainVPN general-attributes
 address-pool Pool_192.168.133.0
 default-group-policy MainVPN
tunnel-group MainVPN ipsec-attributes
 ikev1 pre-shared-key *****

 

Android IPsec PSK

This is how the VPN connection must be configured:

Add a new VPN with "IPSec Xauth PSK". Type in the name of the connection profile on the ASA as well as the PSK. Login with a user from the ASA. Connection established.

ASA Logs

After a connection establishment, the VPN session details on the ASA show details:

Cisco ASA Session Details

And, of course, via the CLI:

fd-wv-fw03# show vpn-sessiondb ra-ikev1-ipsec

Session Type: IKEv1 IPsec

Username     : weberjoh               Index        : 233
Assigned IP  : 192.168.133.10         Public IP    : 194.29.191.227
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)AES256  IPsecOverNatT: (1)AES256
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1
Bytes Tx     : 138957                 Bytes Rx     : 483030
Group Policy : MainVPN                Tunnel Group : MainVPN
Login Time   : 15:46:24 CEST Mon Oct 26 2015
Duration     : 0h:14m:20s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a88201000e9000562e3cc0
Security Grp : none

 


Viewing all articles
Browse latest Browse all 253

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>