Connect to Cisco ASA 8.2 VPN with Android 2.1 L2TP/IPsec?

android vpn cisco

I am trying to configure my Cisco ASA 5510 running software version 8.2 to allow my Droid X to connect via L2TP/IPSec VPN. I have configured the DefaultRAGroup like so:

tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_pool
 default-group-policy droid
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2

and the associated group policy:

group-policy droid internal
group-policy droid attributes
 wins-server value (ip omitted)
 dns-server value (ip omitted)
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall

Watching the log while I try to connect from my phone, I get to "PHASE 2 COMPLETED" but then nothing else happens, and after a few more seconds, the phone says the connection failed. With full ipsec, isakmp, and l2tp debugs, I can see the IKE negotiation complete successfully and the IPSec SA established, then there are these messages:

IKEQM_Active() Add L2TP classification rules: ip <72.121.92.238> mask <0xFFFFFFFF> port <1701> 
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <72.121.92.238> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1>  np_rule_id <0xd84fa348>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1>  np_rule_id <0xd850ad08>

...and nothing else happens. No L2TP traffic flows, and there are no error messages. Inspecting "show vpn-sessiondb" indicates the ASA believes it has established ISAKMP and IPSec associations, but there are no L2TP/IPSec sessions. Has anyone gotten this working; or, failing that, any ideas for how to further troubleshoot this problem?

Edit: Additional testing has shown that it works with a non-android L2TP client, it works from the Droid X over WiFi, but it does NOT work from the Droid X over Verizon's wireless data network. I have filed a bug in the android tracker here: http://code.google.com/p/android/issues/detail?id=9950


Solution 1:

The problem is the split tunneling. I'm actually surprised you got it working in the first place with the stock vpn client. It's crap.

Anyway, the major carriers usually assign a private 10.0.0.0/8 ip to their devices, so when you try to split tunnel it fails as it can't determine what's tunneled and what's not. Enjoy.

Solution 2:

The bug report I submitted to the AOSP was closed years ago as "won't fix (Obsolete)," and the Cisco TAC told other users that this configuration was not supported.

Related

CASE WHEN statement for ORDER BY clause
ISC Bind support for GSS-TSIG DDNS Updates?
Xen vs KVM: Which will have likely better support (read:bugfixes) in the future?
Random entry from dictionary
OpenVPN client without redirect-gateway doing triangular routing and IP spoofing not working on Ubuntu
rotate nohup out file (nohup.log)
How to hide Table Row Overflow?
Easiest way to corrupt ext3 file system (for testing)?
Android gradle build Error:(9, 0) Gradle DSL method not found: 'compile()'.
what are the advantages/disadvantages of cloud server versus a VPS?
Where is the best place for LUKS to sit in a RAID/LVM/LUKS stack?
Name not defined in type annotation [duplicate]