Go Back   Android Forums > Android Phones > Sony Ericsson Xperia Mini

test: Reply
 
LinkBack Thread Tools
Old February 3rd, 2012, 05:44 PM   #1 (permalink)
New Member
Thread Author (OP)
 
Join Date: Feb 2012
Posts: 1
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default How to connect Xperia Mini VPN to Cisco ASA 5505 (8.4.2)

After two nights finally got the Xperia Mini VPN client connected to a CISCO 5505

So I thought lets share this who is interested (text mostly from other forum & adjusted):

1. Install OpenSSL & MS Visual C++ 2008 Redistributable
(needed to create certificate)

Note: All openSSL certificate commands in this article are executed in the C:\OpenSSL-Win32\bin folder

Open Dosbox (cmd) and goto folder: C:\OpenSSL-Win32\bin
type:
Code:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
Code:
 
openssl genrsa -out CA_key.pem -des3 2048
3. Create a self-signed certificate for the CA.
Code:
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem
4. To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OU
Common Name = COMMONCA
Email Address = <leave empty>

5. Create a Client Certificate Request

Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
Code:
openssl genrsa -out client_key.pem -des3 2048
6. Create a certificate request for a client certificate.
Code:
 
openssl req -new -key client_key.pem -out client_csr.pem
7. To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OUAndroid
Common Name = AndroidClient
Email Address = <leave empty>

Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "OUAndroid" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.

8. To sign the client's certificate request using the CA's key, use the following command:
Code:
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair.

9. Transform the .pem-format certificate to a pkcs#12 file:
Code:
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem
The pkcs#12 file is now ready to imported to an Android device:
-Copy client_crt.p12 to the root of the SDcard
-Goto Settings: Location & Security / Install Certificate from SDcard
-Enter password to unpack and install the certificate

10. Import the CA Certificate to Cisco ASA

Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.

Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.

Click Install Certificate. (client_crt.pem in the \bin folder)

11. Create a Server Certificate Request

In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.

Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "ciscoasa" there (my default cisco hostname)

Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem" (in the \bin folder)

12. Sign the Server Certificate Request Using the CA

To sign the server's certificate request using the CA's key, use the following command:
Code:
 
openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq
CA's key file's password is needed, give the password originally used when creating the CA's key pair.

13. Install the Server Certificate in Cisco ASA

In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
Browse for the signed certificate file, and click Install Certificate.
Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):

Code:
 
sh run crypto
In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:

crypto ca certificate chain ASDM_Trustpoint0
certificate ca <ID>
<cert contents>
quit
crypto ca certificate chain ASDM_Trustpoint1
certificate <ID>
<cert contents>
quit

Copy the certificate in the temporary trustpoint (ASDM_Trustpoint1) to the clipboard, starting from the line beginning with word "certificate" and ending with the line starting with "quit".

Enter the configuration mode (command "conf t") and modify the real trustpoint (named ASDM_Trustpoint0 in this example):
Code:
crypto ca certificate chain ASDM_Trustpoint0
Paste the certificate copied to the clipboard. Execute command "exit" to exit trustpoint configuration.

Remove the identity certificate from the temporary trustpoint:
Code:
 
crypto ca certificate chain ASDM_Trustpoint1
no certificate <ID>
exit
Remove the temporary trustpoint:
Code:
no crypto ca trustpoint ASDM_Trustpoint1
At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain ASDM_Trustpoint0
certificate <ID>
<certificate contents>
quit
certificate ca <ID>
<certificate contents>
quit

Save config (exit, write mem). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.

14. As last part, a short checklist about all the locations that need some configuration in ASDM:

Create IPSec Transform sets
Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. (I named them android 1 & 2)

Create IKE Policy
A specific IKE Policy is needed. Configure a policy with these values:
Encryption: 3DES
Hash: SHA
Authentication: rsa-sig
D-H Group: 2

Check IKE Parameters
Check that IKE is enabled on WAN interface, and that NAT-T is enabled.
Also see below to enable.

Run the VPN Wizard AnyConnect:

-Connection Profile: OUAndroid (as specified in the certificate)
-VPN Protocols: SSL + IPSEC and choose the certificate
-Add a client image (for example anyconnect-linux-2.3xxxk9-pkg)
* only needed to continue the wizard *
-AAA server Groups: LOCAL and create a user
-Client Address: assign a DHCP pool for the connected clients
-DNS: optional
-NAT exempt: Exempt VPN traffic ON (choose right interface)
-Allow Web Launch: NO

Further settingss:
Enable Ike1 on designated interface:
Code:
 
crypto ikev1 enable <interface>
Remote Access VPN - IPSec(IKEv1) Connection Profiles:

Edit OUAndroid profile:

Basic: check if "Identity Certificate" still holds the certificate
Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
Under Advanced - PPP, select only PAP.

Site to Site VPN - Crypto Maps:

Check if the IKEv1 IPSec Transform sets are selected (in my case sets android 1 & 2):

dynamic: 65535.65535 1 any any ip Protect android1 android2 AES256 AES192 AES 3DES DES

Group Policies (above): edit the OUAndroid policy
Select only IPsec IKEv1 & L2TP/IPSec

example:
GroupPolicy_OUAndroid Internal l2tp-ipsec;ikev1 OUAndroid

On the Xperia:

Goto Wireless connections / VPN settings:
Add VPN
Choose VPN L2TP/IPSec CRT
Enter VPN name (can be anything)
VPN server: IP of CISCO ASA VPN server
Select the user certificate (imported on phone)
Select the ca-certificate (imported on phone)

Press lower right button on Experia and SAVE

Connect with username and password and if all goes well your connected !

Goodluck

Advertisements
henkiee is offline  
Reply With Quote
sponsored links
Reply

Sony Ericsson Xperia Mini
Current Rating:
Rate this Phone:

Sony Ericsson is following the Xperia X10 Mini up with a device that's just as small but not nearly as weak. Beneath the hood, it can stand toe-to-toe with some of the highest of high-end devices. It has a 1GHz processor inside, a camera that c... Read More



Go Back   Android Forums > Android Phones > Sony Ericsson Xperia Mini
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 09:24 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.