Cisco – Connect to Cisco ASA 8.2 VPN with Android 2.1 L2TP/IPsec

androidciscovpn

I am trying to configure my Cisco ASA 5510 running software version 8.2 to allow my Droid X to connect via L2TP/IPSec VPN. I have configured the DefaultRAGroup like so:

tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_pool
 default-group-policy droid
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2

and the associated group policy:

group-policy droid internal
group-policy droid attributes
 wins-server value (ip omitted)
 dns-server value (ip omitted)
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall

Watching the log while I try to connect from my phone, I get to "PHASE 2 COMPLETED" but then nothing else happens, and after a few more seconds, the phone says the connection failed. With full ipsec, isakmp, and l2tp debugs, I can see the IKE negotiation complete successfully and the IPSec SA established, then there are these messages:

IKEQM_Active() Add L2TP classification rules: ip <72.121.92.238> mask <0xFFFFFFFF> port <1701> 
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <72.121.92.238> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1>  np_rule_id <0xd84fa348>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1>  np_rule_id <0xd850ad08>

…and nothing else happens. No L2TP traffic flows, and there are no error messages. Inspecting "show vpn-sessiondb" indicates the ASA believes it has established ISAKMP and IPSec associations, but there are no L2TP/IPSec sessions. Has anyone gotten this working; or, failing that, any ideas for how to further troubleshoot this problem?

Edit: Additional testing has shown that it works with a non-android L2TP client, it works from the Droid X over WiFi, but it does NOT work from the Droid X over Verizon's wireless data network. I have filed a bug in the android tracker here: http://code.google.com/p/android/issues/detail?id=9950

Best Answer

The problem is the split tunneling. I'm actually surprised you got it working in the first place with the stock vpn client. It's crap.

Anyway, the major carriers usually assign a private 10.0.0.0/8 ip to their devices, so when you try to split tunnel it fails as it can't determine what's tunneled and what's not. Enjoy.

Related Topic