Connect to Cisco ASA 8.2 VPN with Android 2.1 L2TP/IPsec?

I am trying to configure my Cisco ASA 5510 running software version 8.2 to allow my Droid X to connect via L2TP/IPSec VPN. I have configured the DefaultRAGroup like so:

tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_pool
 default-group-policy droid
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2

and the associated group policy:

group-policy droid internal
group-policy droid attributes
 wins-server value (ip omitted)
 dns-server value (ip omitted)
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall

Watching the log while I try to connect from my phone, I get to "PHASE 2 COMPLETED" but then nothing else happens, and after a few more seconds, the phone says the connection failed. With full ipsec, isakmp, and l2tp debugs, I can see the IKE negotiation complete successfully and the IPSec SA established, then there are these messages:

IKEQM_Active() Add L2TP classification rules: ip <72.121.92.238> mask <0xFFFFFFFF> port <1701> 
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <72.121.92.238> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1>  np_rule_id <0xd84fa348>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1>  np_rule_id <0xd850ad08>

...and nothing else happens. No L2TP traffic flows, and there are no error messages. Inspecting "show vpn-sessiondb" indicates the ASA believes it has established ISAKMP and IPSec associations, but there are no L2TP/IPSec sessions. Has anyone gotten this working; or, failing that, any ideas for how to further troubleshoot this problem?

Edit: Additional testing has shown that it works with a non-android L2TP client, it works from the Droid X over WiFi, but it does NOT work from the Droid X over Verizon's wireless data network. I have filed a bug in the android tracker here: http://code.google.com/p/android/issues/detail?id=9950


Solution 1:

The problem is the split tunneling. I'm actually surprised you got it working in the first place with the stock vpn client. It's crap.

Anyway, the major carriers usually assign a private 10.0.0.0/8 ip to their devices, so when you try to split tunnel it fails as it can't determine what's tunneled and what's not. Enjoy.

Solution 2:

The bug report I submitted to the AOSP was closed years ago as "won't fix (Obsolete)," and the Cisco TAC told other users that this configuration was not supported.