Youtube channel

Check out my youtube channel!

Saturday, 3 August 2013

Native Android VPN to a Cisco Router

Getting IPSec VPN connectivity between two devices is always a painful experience, somewhat akin to a root canal. So I eventually roused up the courage and decided to try and get Android 4.x native VPN  to connect to a Cisco 877 at home. A few four-letter words and some blasphemy later, I finally had success!

The below example should help anyone else having problems getting this working.

Topology
The topology is drawn below. Its very simple, consisting of:
  • A Cisco 877 running 12.4(24)T1 (advanced IP services), attached to an ADSL line on the public side, with a LAN in RFC1918 space internally. A simple NAT configuration is configured between public and private.
  • An Android phone (in my case a galaxy S3 running 4.1.2 stock) with a 3G SIM. My carrier runs CG-NAT yet the setup still works.



Variables
In order to use this example in your setup, you need to determine the following variables:
  • Gateway address - The public IP address of the Cisco's WAN interface. (e.g 1.1.1.1)
  • Gateway interface - The name of the Cisco's WAN interface. (e.g Dialer0)
  • LAN interface: The name of the LAN interface on the Cisco (e.g Ethernet0)
  • LAN subnet: The subnet of the LAN interface (e.g 192.168.0.0/24)
  • IPSEC PSK - A shared secret (key) for the Ipsec/ISAKMP session.
  • L2TP username - A username for the L2TP layer of the session.
  • L2TP password - A password for the L2TP layer of the session.
  • Pool addresses - Range of (RFC19218) IP addresses to assign Android VPN endpoints. Ideally unused addresses in the LAN subnet.
Cisco configuration:

!
vpdn enable
!
vpdn-group l2tpvpn
 accept-dialin
  protocol l2tp
  virtual-template 1
 lcp renegotiation always
 l2tp tunnel hello 15
 no l2tp tunnel authentication
 l2tp ip udp checksum
 ip pmtu
 ip mtu adjust
!
! Enter L2TP username and password below.
username [l2tp_user] privilege 15 password [l2tp_pass]
!
crypto keyring l2tp
  ! Enter IPSec preshared Key below.
  pre-shared-key address 0.0.0.0 0.0.0.0 key [ipsec_psk]
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2  
 lifetime 3600
crypto isakmp keepalive 3600 periodic
crypto isakmp profile l2tp
   keyring l2tp
   match identity address 0.0.0.0 
!
crypto ipsec transform-set L2TP-TS esp-aes 256 esp-sha-hmac 
 mode transport
!         
crypto dynamic-map dynvpn 1
 set nat demux
 set transform-set L2TP-TS 
 set isakmp-profile l2tp
!
crypto map CRYPTOMAP 20 ipsec-isakmp dynamic dynvpn 
!
! Use your public WAN interface.
interface Dialer0
 crypto map CRYPTOMAP
!
interface Virtual-Template1
 ! Below, specify the internal LAN interface.
 ip unnumbered Ethernet0
 ip proxy-arp
 ip mtu 1398
 peer default ip address pool VPN
 ppp mtu adaptive
 ppp authentication pap ms-chap ms-chap-v2 chap
!
! Specify the first and last IP address to assign.
ip local pool VPN [first_address] [last_address]
!

Android configuration:

  1. Open Settings -> More settings
  2. Select VPN
  3. Select Add VPN network
  4. Set the following attributes:
    1. Name: a convenient name for the connection. Doesn't have to be related to anything above.
    2. Type: L2TP/IPSec PSK
    3. Server address: The WAN address of the Cisco router.
    4. L2TP Secret: Leave blank.
    5. IPSec identifier: Leave blank.
    6. IPSec pre-shared key: The IPSEC PSK from above.
    7. DNS search domains: Leave blank.
    8. DNS servers: Leave blank.
    9. Forwarding routes: The LAN subnet per above.
    10. Save the connection settings.
Connecting

  1. Open Settings -> More settings
  2. Select VPN
  3. Select the connection you created.
  4. Enter the L2TP username and L2TP password from above.
  5. Press Connect.
  6. After a while, the connection status should show as Connected and things should work.
Troubleshooting

IPSec rarely comes up first time, there's often some tweaking to be done in order to make the protocol(s) happy. Debugging can help narrow down where the problem lies.

The first thing to do (after verifying the config) is to enable ISAKPM debugging. This will determine if the first phase of the connection is successful. In particular, the following message is a good clue:

.Aug  3 22:39:56: ISAKMP:(0): phase 1 SA policy not acceptable! (local 27.32.237.11 remote 143.173.71.56)
.Aug  3 22:39:56: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
.Aug  3 22:39:56: ISAKMP:(0): Failed to construct AG informational message.
.Aug  3 22:39:56: ISAKMP:(0): sending packet to 143.173.71.56 my_port 500 peer_port 61824 (R) MM_NO_STATE
.Aug  3 22:39:56: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Aug  3 22:39:56: ISAKMP:(0):peer does not do paranoid keepalives.
.Aug  3 22:39:56: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 143.173.71.56)

This generally means that the parameters in the 'crypto isakmp policy 1' statement dont match what the phone offers. The preceding messages will show what was received from the phone - you need to ensure the Cisco is configured with one of these.

Another clue as to a problem is the following in the messages:

.Aug  3 22:43:27: ISAKMP (2045): received packet from 49.176.71.56 dport 4500 sport 56928 Global (R) MM_KEY_EXCH
.Aug  3 22:43:27: ISAKMP: reserved not zero on ID payload!
.Aug  3 22:43:27: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 143.173.71.56 failed its sanity check or is malformed
.Aug  3 22:43:27: ISAKMP (2045): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

This tends to indicate a mismatch of the pre-shared key. Be sure that they are the same.

The following message can indicate a typo in the router config:

.Aug  3 22:46:46: ISAKMP:(2046):atts are acceptable.
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 143.173.71.56)
.Aug  3 22:46:46: ISAKMP: set new node 31785139 to QM_IDLE      
.Aug  3 22:46:46: ISAKMP:(2046):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2225914040, message ID = 31785139

This is generally indicative on a problem at the next layer. Enable debug l2tp error for messages at the nest layer. If this still doesnt solve the problem, then debug ppp authen and debug ppp error can track them down further.

MTU problems

If you find that short data connections get through but not large ones (eg web pages return partially complete), then its likely you have a MTU problem. In the Virtual-Template1 configuration stanza, try changing the MTU from 1398 down to 1300 or even 1200. Other MTU optimisation strategies exist, but are beyond the scope here.




41 comments:

  1. Hello.
    Could you possibly me a sample configuration of a Cisco 877 with IPSec Xauth send-PSK.
    What would change as opposed to your config, or added.
    Thank you. My Contact: Olaf@kaergernet.de

    ReplyDelete
  2. And one of the many benefits of the virtual private network is to get more information about VPN at itday.com.
    that it ensures that a right amount of security to all the systems that are connected when the infrastructure present alone cannot provide that.

    ReplyDelete
  3. My experience of connecting a native Android VPN to a Cisco Router was also a painful one and that’s why I got best free VPN with help of hidemyass vpn review online. It actually worked for me and I recommend it to everybody in need.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I want to say thanks for beautiful blog sharing with us. Your blog really great resource to update my knowledge. allerta privacy

    ReplyDelete
  6. Impressive web site, Distinguished feedback that I can tackle. I am moving forward and may apply to my current job as a pet sitter, which is very enjoyable, but I need to additional expand. Regards vpn veteran

    ReplyDelete
  7. Android VPN's aren't just for mobile phones The Android OS powers more than just mobile phones. You'll also have your choice of tablets and notebooks. An Android best VPN for torrenting will give you an extra layer of security to get things done without worrying about revealing personal information.

    ReplyDelete
  8. I think that thanks for the valuabe information and insights you have so provided here. 192.168.0.254

    ReplyDelete
  9. VPN administrations enable you to associate with any server on the Internet safely. The manner in which they work is by giving you an IP address that is totally anonymized and by scrambling the majority of your correspondence with the VPN server. buy vpn with Ethereum

    ReplyDelete
  10. I am extremely delighted in for this web journal. Its a useful subject. It help me all that much to take care of a few issues. Its chance are so awesome and working style so rapid. bezoek website

    ReplyDelete
  11. Decisions made currently will have durable results, and consideration must be paid to their social and financial effects. https://gizlilikveguvenlik.com

    ReplyDelete
  12. I am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article. meer informatie

    ReplyDelete
  13. Thankyou for sharing the data which is beneficial for me and others likewise to see. https://internetetsecurite.fr

    ReplyDelete
  14. Your style is so unique in comparison to other people I’ve read
    stuff from. Thanks for posting when you hav the opportunity,
    Guess I will just bookmark this page.
    https://www.techlazy.com/free-movie-streaming-sites-no-sign-up-required/

    ReplyDelete
  15. An impressive share! I have just forwarded this onto a coworker who had been doing a little
    homework on this. And he actually ordered me dinner simply because
    I found it for him… lol. So allow me to reword this….
    Thank YOU for the meal!! But yeah, thanks for spending some time to discuss
    this topic here on your blog.
    https://www.techlazy.com/websites-to-watch-free-movies-online-without-downloading/

    ReplyDelete
  16. What a thrilling post. It is extremely chock-full of useful information. Thanks for such a great info. https://192-168-i-i.com/cisco-router-default-password/

    ReplyDelete
  17. "Your style is very unique compared to other folks I’ve read
    stuff from. I appreciate you for posting when you’ve
    got the opportunity, Guess I will just book mark this
    blog."
    fregards:https://www.techlazy.com/live-tv-streaming-sites/

    ReplyDelete
  18. I really like your writing style, great information, thankyou for posting. nord vpn free trial

    ReplyDelete
  19. I am truly pleased to read this information which carries lots of helpful data. VPNShazam offers one of the best VPN reseller program which allows clients to start their own VPN service. Visit on free vpn reseller

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. When talking about business related issues, solutions, and technologies, you will almost always group businesses as small and https://adobe.cheapsoftwaredownload.net/adobe-creative-suite.html. While the separation is there, it won't be wrong to say that in a modern where digital technologies prevail, it should not be a problem for small businesses to compete with large ones.

    ReplyDelete
  22. thanks for this one. i'll add this info on this page. Enjoy

    ReplyDelete
  23. New program for private student loan pays back 100% of your entire debt, this student loan forgiveness program is limited to a select number of citizens per year. It gives people to opportunity of non repayment of loans. buymodafinilonline.reviews

    ReplyDelete
  24. When your business has grown to multiple 6-7-figures, it will require that you begin to step into a CEO and Visionary role to lead your business to higher levels of growth. The business now has a life of its own and if you stay in the doing role too long, you will lose control of your vision. 3d coat render

    ReplyDelete
  25. I really appreciate this post. I¡¦ve been looking everywhere for this! Thank goodness I found it on Bing. You've made my day! Thanks again facetune app free download

    ReplyDelete
  26. Thanks for every other excellent post. The place else may just anyone get that kind of info in such an ideal manner of writing? I’ve a presentation subsequent week, and I am at the look for such information. free insta likes

    ReplyDelete
  27. I’d should talk to you here. Which is not some thing I do! I quite like reading a post which will make people believe. Also, many thanks permitting me to comment! kinemaster pro free download

    ReplyDelete
  28. Great post however , I was wanting to know if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit further. Bless you! cotomovies free

    ReplyDelete
  29. And Im running from a standard users account with strict limitations, which I think may be the limiting factor, but Im running the cmd as the system I am currently working on. Dead Target unlimited Money

    ReplyDelete
  30. Thanks for making the honest attempt to speak about this. I believe very robust approximately it and want to read more. If it’s OK, as you gain more in depth wisdom, would you thoughts adding extra articles similar to this one with additional information? It might be extremely useful and useful for me and my friends. free patreon

    ReplyDelete
  31. I’m honored to obtain a call from a friend as he identified the important tips shared on your site. Browsing your blog post is a real excellent experience. Many thanks for taking into consideration readers at all like me, and I wish you the best of achievements as being a professional domain. how to download Tweakbox

    ReplyDelete
  32. Great post however , I was wanting to know if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit further. Bless you! youtube ++ ios

    ReplyDelete
  33. My spouse and I absolutely love your blog and find nearly all of your post’s to be exactly what I’m looking for. Does one offer guest writers to write content for you personally? I wouldn’t mind creating a post or elaborating on a lot of the subjects you write with regards to here. Again, awesome weblog! video star free effects

    ReplyDelete
  34. I like this site very much so much excellent information. btd battles glitch

    ReplyDelete
  35. Cheap Replica Handbags You guide me by sharing this toolbox i face problem whenever i exploit this promotion reading your blog i am able to easily use. mortal kombat x souls glitch

    ReplyDelete
  36. You actually make it seem so easy with your presentation but I find this topic to be really something that I think I would never understand. It seems too complicated and extremely broad for me. I am looking forward for your next post, I will try to get the hang of it! putlocker

    ReplyDelete
  37. Last month, when i visited your blog i got an error on the mysql server of yours.*~,”* how to get free Plague Inc.

    ReplyDelete
  38. I am only commenting to let you know of the remarkable experience our girl encountered reading the blog. She noticed many pieces, which included how it is like to possess an amazing giving nature to get certain people really easily learn certain multifaceted things. You undoubtedly exceeded visitors’ desires. I appreciate you for rendering the important, healthy, informative as well as easy tips about the topic to Kate. how to get apple music free

    ReplyDelete
  39. seaport hack Excellent trick this great friend, this was what I was looking for a long time and finally something that works. I recommend them all if it is real is not a lie. Thanks friend. Keep it up

    ReplyDelete
  40. When do you think this Real Estate market will go back in a positive direction? Or is it still too early to tell? We are seeing a lot of housing foreclosures in Altamonte Springs Florida. What about you? Would love to get your feedback on this. how to get YouTube++ on iphone

    ReplyDelete
  41. Heya i’m for the first time here. I found this board and I to find It truly helpful & it helped me out a lot. I hope to provide something back and aid others such as you helped me. how to hack pokemon go

    ReplyDelete