Youtube channel

Check out my youtube channel!

Saturday, 3 August 2013

Native Android VPN to a Cisco Router

Getting IPSec VPN connectivity between two devices is always a painful experience, somewhat akin to a root canal. So I eventually roused up the courage and decided to try and get Android 4.x native VPN  to connect to a Cisco 877 at home. A few four-letter words and some blasphemy later, I finally had success!

The below example should help anyone else having problems getting this working.

Topology
The topology is drawn below. Its very simple, consisting of:
  • A Cisco 877 running 12.4(24)T1 (advanced IP services), attached to an ADSL line on the public side, with a LAN in RFC1918 space internally. A simple NAT configuration is configured between public and private.
  • An Android phone (in my case a galaxy S3 running 4.1.2 stock) with a 3G SIM. My carrier runs CG-NAT yet the setup still works.



Variables
In order to use this example in your setup, you need to determine the following variables:
  • Gateway address - The public IP address of the Cisco's WAN interface. (e.g 1.1.1.1)
  • Gateway interface - The name of the Cisco's WAN interface. (e.g Dialer0)
  • LAN interface: The name of the LAN interface on the Cisco (e.g Ethernet0)
  • LAN subnet: The subnet of the LAN interface (e.g 192.168.0.0/24)
  • IPSEC PSK - A shared secret (key) for the Ipsec/ISAKMP session.
  • L2TP username - A username for the L2TP layer of the session.
  • L2TP password - A password for the L2TP layer of the session.
  • Pool addresses - Range of (RFC19218) IP addresses to assign Android VPN endpoints. Ideally unused addresses in the LAN subnet.
Cisco configuration:

!
vpdn enable
!
vpdn-group l2tpvpn
 accept-dialin
  protocol l2tp
  virtual-template 1
 lcp renegotiation always
 l2tp tunnel hello 15
 no l2tp tunnel authentication
 l2tp ip udp checksum
 ip pmtu
 ip mtu adjust
!
! Enter L2TP username and password below.
username [l2tp_user] privilege 15 password [l2tp_pass]
!
crypto keyring l2tp
  ! Enter IPSec preshared Key below.
  pre-shared-key address 0.0.0.0 0.0.0.0 key [ipsec_psk]
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2  
 lifetime 3600
crypto isakmp keepalive 3600 periodic
crypto isakmp profile l2tp
   keyring l2tp
   match identity address 0.0.0.0 
!
crypto ipsec transform-set L2TP-TS esp-aes 256 esp-sha-hmac 
 mode transport
!         
crypto dynamic-map dynvpn 1
 set nat demux
 set transform-set L2TP-TS 
 set isakmp-profile l2tp
!
crypto map CRYPTOMAP 20 ipsec-isakmp dynamic dynvpn 
!
! Use your public WAN interface.
interface Dialer0
 crypto map CRYPTOMAP
!
interface Virtual-Template1
 ! Below, specify the internal LAN interface.
 ip unnumbered Ethernet0
 ip proxy-arp
 ip mtu 1398
 peer default ip address pool VPN
 ppp mtu adaptive
 ppp authentication pap ms-chap ms-chap-v2 chap
!
! Specify the first and last IP address to assign.
ip local pool VPN [first_address] [last_address]
!

Android configuration:

  1. Open Settings -> More settings
  2. Select VPN
  3. Select Add VPN network
  4. Set the following attributes:
    1. Name: a convenient name for the connection. Doesn't have to be related to anything above.
    2. Type: L2TP/IPSec PSK
    3. Server address: The WAN address of the Cisco router.
    4. L2TP Secret: Leave blank.
    5. IPSec identifier: Leave blank.
    6. IPSec pre-shared key: The IPSEC PSK from above.
    7. DNS search domains: Leave blank.
    8. DNS servers: Leave blank.
    9. Forwarding routes: The LAN subnet per above.
    10. Save the connection settings.
Connecting

  1. Open Settings -> More settings
  2. Select VPN
  3. Select the connection you created.
  4. Enter the L2TP username and L2TP password from above.
  5. Press Connect.
  6. After a while, the connection status should show as Connected and things should work.
Troubleshooting

IPSec rarely comes up first time, there's often some tweaking to be done in order to make the protocol(s) happy. Debugging can help narrow down where the problem lies.

The first thing to do (after verifying the config) is to enable ISAKPM debugging. This will determine if the first phase of the connection is successful. In particular, the following message is a good clue:

.Aug  3 22:39:56: ISAKMP:(0): phase 1 SA policy not acceptable! (local 27.32.237.11 remote 143.173.71.56)
.Aug  3 22:39:56: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
.Aug  3 22:39:56: ISAKMP:(0): Failed to construct AG informational message.
.Aug  3 22:39:56: ISAKMP:(0): sending packet to 143.173.71.56 my_port 500 peer_port 61824 (R) MM_NO_STATE
.Aug  3 22:39:56: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Aug  3 22:39:56: ISAKMP:(0):peer does not do paranoid keepalives.
.Aug  3 22:39:56: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 143.173.71.56)

This generally means that the parameters in the 'crypto isakmp policy 1' statement dont match what the phone offers. The preceding messages will show what was received from the phone - you need to ensure the Cisco is configured with one of these.

Another clue as to a problem is the following in the messages:

.Aug  3 22:43:27: ISAKMP (2045): received packet from 49.176.71.56 dport 4500 sport 56928 Global (R) MM_KEY_EXCH
.Aug  3 22:43:27: ISAKMP: reserved not zero on ID payload!
.Aug  3 22:43:27: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 143.173.71.56 failed its sanity check or is malformed
.Aug  3 22:43:27: ISAKMP (2045): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

This tends to indicate a mismatch of the pre-shared key. Be sure that they are the same.

The following message can indicate a typo in the router config:

.Aug  3 22:46:46: ISAKMP:(2046):atts are acceptable.
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 143.173.71.56)
.Aug  3 22:46:46: ISAKMP: set new node 31785139 to QM_IDLE      
.Aug  3 22:46:46: ISAKMP:(2046):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2225914040, message ID = 31785139

This is generally indicative on a problem at the next layer. Enable debug l2tp error for messages at the nest layer. If this still doesnt solve the problem, then debug ppp authen and debug ppp error can track them down further.

MTU problems

If you find that short data connections get through but not large ones (eg web pages return partially complete), then its likely you have a MTU problem. In the Virtual-Template1 configuration stanza, try changing the MTU from 1398 down to 1300 or even 1200. Other MTU optimisation strategies exist, but are beyond the scope here.




1 comment:

  1. Hello.
    Could you possibly me a sample configuration of a Cisco 877 with IPSec Xauth send-PSK.
    What would change as opposed to your config, or added.
    Thank you. My Contact: Olaf@kaergernet.de

    ReplyDelete