Youtube channel

Check out my youtube channel!

Saturday, 3 August 2013

Native Android VPN to a Cisco Router

Getting IPSec VPN connectivity between two devices is always a painful experience, somewhat akin to a root canal. So I eventually roused up the courage and decided to try and get Android 4.x native VPN  to connect to a Cisco 877 at home. A few four-letter words and some blasphemy later, I finally had success!

The below example should help anyone else having problems getting this working.

The topology is drawn below. Its very simple, consisting of:
  • A Cisco 877 running 12.4(24)T1 (advanced IP services), attached to an ADSL line on the public side, with a LAN in RFC1918 space internally. A simple NAT configuration is configured between public and private.
  • An Android phone (in my case a galaxy S3 running 4.1.2 stock) with a 3G SIM. My carrier runs CG-NAT yet the setup still works.

In order to use this example in your setup, you need to determine the following variables:
  • Gateway address - The public IP address of the Cisco's WAN interface. (e.g
  • Gateway interface - The name of the Cisco's WAN interface. (e.g Dialer0)
  • LAN interface: The name of the LAN interface on the Cisco (e.g Ethernet0)
  • LAN subnet: The subnet of the LAN interface (e.g
  • IPSEC PSK - A shared secret (key) for the Ipsec/ISAKMP session.
  • L2TP username - A username for the L2TP layer of the session.
  • L2TP password - A password for the L2TP layer of the session.
  • Pool addresses - Range of (RFC19218) IP addresses to assign Android VPN endpoints. Ideally unused addresses in the LAN subnet.
Cisco configuration:

vpdn enable
vpdn-group l2tpvpn
  protocol l2tp
  virtual-template 1
 lcp renegotiation always
 l2tp tunnel hello 15
 no l2tp tunnel authentication
 l2tp ip udp checksum
 ip pmtu
 ip mtu adjust
! Enter L2TP username and password below.
username [l2tp_user] privilege 15 password [l2tp_pass]
crypto keyring l2tp
  ! Enter IPSec preshared Key below.
  pre-shared-key address key [ipsec_psk]
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2  
 lifetime 3600
crypto isakmp keepalive 3600 periodic
crypto isakmp profile l2tp
   keyring l2tp
   match identity address 
crypto ipsec transform-set L2TP-TS esp-aes 256 esp-sha-hmac 
 mode transport
crypto dynamic-map dynvpn 1
 set nat demux
 set transform-set L2TP-TS 
 set isakmp-profile l2tp
crypto map CRYPTOMAP 20 ipsec-isakmp dynamic dynvpn 
! Use your public WAN interface.
interface Dialer0
 crypto map CRYPTOMAP
interface Virtual-Template1
 ! Below, specify the internal LAN interface.
 ip unnumbered Ethernet0
 ip proxy-arp
 ip mtu 1398
 peer default ip address pool VPN
 ppp mtu adaptive
 ppp authentication pap ms-chap ms-chap-v2 chap
! Specify the first and last IP address to assign.
ip local pool VPN [first_address] [last_address]

Android configuration:

  1. Open Settings -> More settings
  2. Select VPN
  3. Select Add VPN network
  4. Set the following attributes:
    1. Name: a convenient name for the connection. Doesn't have to be related to anything above.
    2. Type: L2TP/IPSec PSK
    3. Server address: The WAN address of the Cisco router.
    4. L2TP Secret: Leave blank.
    5. IPSec identifier: Leave blank.
    6. IPSec pre-shared key: The IPSEC PSK from above.
    7. DNS search domains: Leave blank.
    8. DNS servers: Leave blank.
    9. Forwarding routes: The LAN subnet per above.
    10. Save the connection settings.

  1. Open Settings -> More settings
  2. Select VPN
  3. Select the connection you created.
  4. Enter the L2TP username and L2TP password from above.
  5. Press Connect.
  6. After a while, the connection status should show as Connected and things should work.

IPSec rarely comes up first time, there's often some tweaking to be done in order to make the protocol(s) happy. Debugging can help narrow down where the problem lies.

The first thing to do (after verifying the config) is to enable ISAKPM debugging. This will determine if the first phase of the connection is successful. In particular, the following message is a good clue:

.Aug  3 22:39:56: ISAKMP:(0): phase 1 SA policy not acceptable! (local remote
.Aug  3 22:39:56: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
.Aug  3 22:39:56: ISAKMP:(0): Failed to construct AG informational message.
.Aug  3 22:39:56: ISAKMP:(0): sending packet to my_port 500 peer_port 61824 (R) MM_NO_STATE
.Aug  3 22:39:56: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Aug  3 22:39:56: ISAKMP:(0):peer does not do paranoid keepalives.
.Aug  3 22:39:56: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer

This generally means that the parameters in the 'crypto isakmp policy 1' statement dont match what the phone offers. The preceding messages will show what was received from the phone - you need to ensure the Cisco is configured with one of these.

Another clue as to a problem is the following in the messages:

.Aug  3 22:43:27: ISAKMP (2045): received packet from dport 4500 sport 56928 Global (R) MM_KEY_EXCH
.Aug  3 22:43:27: ISAKMP: reserved not zero on ID payload!
.Aug  3 22:43:27: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed
.Aug  3 22:43:27: ISAKMP (2045): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

This tends to indicate a mismatch of the pre-shared key. Be sure that they are the same.

The following message can indicate a typo in the router config:

.Aug  3 22:46:46: ISAKMP:(2046):atts are acceptable.
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): IPSec policy invalidated proposal with error 8
.Aug  3 22:46:46: ISAKMP:(2046): phase 2 SA policy not acceptable! (local remote
.Aug  3 22:46:46: ISAKMP: set new node 31785139 to QM_IDLE      
.Aug  3 22:46:46: ISAKMP:(2046):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2225914040, message ID = 31785139

This is generally indicative on a problem at the next layer. Enable debug l2tp error for messages at the nest layer. If this still doesnt solve the problem, then debug ppp authen and debug ppp error can track them down further.

MTU problems

If you find that short data connections get through but not large ones (eg web pages return partially complete), then its likely you have a MTU problem. In the Virtual-Template1 configuration stanza, try changing the MTU from 1398 down to 1300 or even 1200. Other MTU optimisation strategies exist, but are beyond the scope here.


  1. Hello.
    Could you possibly me a sample configuration of a Cisco 877 with IPSec Xauth send-PSK.
    What would change as opposed to your config, or added.
    Thank you. My Contact:

  2. And one of the many benefits of the virtual private network is to get more information about VPN at
    that it ensures that a right amount of security to all the systems that are connected when the infrastructure present alone cannot provide that.

  3. My experience of connecting a native Android VPN to a Cisco Router was also a painful one and that’s why I got best free VPN with help of hidemyass vpn review online. It actually worked for me and I recommend it to everybody in need.

  4. This comment has been removed by the author.

  5. I want to say thanks for beautiful blog sharing with us. Your blog really great resource to update my knowledge. allerta privacy

  6. Impressive web site, Distinguished feedback that I can tackle. I am moving forward and may apply to my current job as a pet sitter, which is very enjoyable, but I need to additional expand. Regards vpn veteran

  7. Android VPN's aren't just for mobile phones The Android OS powers more than just mobile phones. You'll also have your choice of tablets and notebooks. An Android best VPN for torrenting will give you an extra layer of security to get things done without worrying about revealing personal information.

  8. I think that thanks for the valuabe information and insights you have so provided here.

  9. VPN administrations enable you to associate with any server on the Internet safely. The manner in which they work is by giving you an IP address that is totally anonymized and by scrambling the majority of your correspondence with the VPN server. buy vpn with Ethereum

  10. I am extremely delighted in for this web journal. Its a useful subject. It help me all that much to take care of a few issues. Its chance are so awesome and working style so rapid. bezoek website

  11. Decisions made currently will have durable results, and consideration must be paid to their social and financial effects.

  12. I am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article. meer informatie

  13. Thankyou for sharing the data which is beneficial for me and others likewise to see.

  14. Your style is so unique in comparison to other people I’ve read
    stuff from. Thanks for posting when you hav the opportunity,
    Guess I will just bookmark this page.

  15. An impressive share! I have just forwarded this onto a coworker who had been doing a little
    homework on this. And he actually ordered me dinner simply because
    I found it for him… lol. So allow me to reword this….
    Thank YOU for the meal!! But yeah, thanks for spending some time to discuss
    this topic here on your blog.

  16. What a thrilling post. It is extremely chock-full of useful information. Thanks for such a great info.

  17. "Your style is very unique compared to other folks I’ve read
    stuff from. I appreciate you for posting when you’ve
    got the opportunity, Guess I will just book mark this

  18. I really like your writing style, great information, thankyou for posting. nord vpn free trial

  19. I am truly pleased to read this information which carries lots of helpful data. VPNShazam offers one of the best VPN reseller program which allows clients to start their own VPN service. Visit on free vpn reseller

  20. This comment has been removed by the author.

  21. When talking about business related issues, solutions, and technologies, you will almost always group businesses as small and While the separation is there, it won't be wrong to say that in a modern where digital technologies prevail, it should not be a problem for small businesses to compete with large ones.