1. 2015 is going to be a great year for Android! Why wait??
    Samsung Galaxy Note 5 | Samsung Galaxy S6 | HTC One M9
  2. New Forum Created: Samsung Gear VR!

How to connect Xperia Mini VPN to Cisco ASA 5505 (8.4.2)Support


  1. henkiee

    henkiee New Member

    After two nights finally got the Xperia Mini VPN client connected to a CISCO 5505

    So I thought lets share this who is interested (text mostly from other forum & adjusted):

    1. Install OpenSSL & MS Visual C++ 2008 Redistributable
    (needed to create certificate)

    Note: All openSSL certificate commands in this article are executed in the C:\OpenSSL-Win32\bin folder

    Open Dosbox (cmd) and goto folder: C:\OpenSSL-Win32\bin
    type:
    Code (Text):
    set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
     
    2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
    Code (Text):
     
    openssl genrsa -out CA_key.pem -des3 2048
     
    3. Create a self-signed certificate for the CA.
    Code (Text):
    openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem
    4. To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

    Country Code = US
    State = TX
    Locality = Houston
    Organization = Company
    Organizational Unit = OU
    Common Name = COMMONCA
    Email Address = <leave empty>

    5. Create a Client Certificate Request

    Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
    Code (Text):
    openssl genrsa -out client_key.pem -des3 2048
    6. Create a certificate request for a client certificate.
    Code (Text):
     
    openssl req -new -key client_key.pem -out client_csr.pem
     
    7. To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:

    Country Code = US
    State = TX
    Locality = Houston
    Organization = Company
    Organizational Unit = OUAndroid
    Common Name = AndroidClient
    Email Address = <leave empty>

    Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "OUAndroid" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.

    8. To sign the client's certificate request using the CA's key, use the following command:
    Code (Text):
    openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seq
    CA's key file's password is needed, give the password originally used when creating the CA's key pair.

    9. Transform the .pem-format certificate to a pkcs#12 file:
    Code (Text):
    openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pem
    The pkcs#12 file is now ready to imported to an Android device:
    -Copy client_crt.p12 to the root of the SDcard
    -Goto Settings: Location & Security / Install Certificate from SDcard
    -Enter password to unpack and install the certificate

    10. Import the CA Certificate to Cisco ASA

    Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.

    Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.

    Click Install Certificate. (client_crt.pem in the \bin folder)

    11. Create a Server Certificate Request

    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.

    Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "ciscoasa" there (my default cisco hostname)

    Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem" (in the \bin folder)

    12. Sign the Server Certificate Request Using the CA

    To sign the server's certificate request using the CA's key, use the following command:
    Code (Text):
     
    openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq
     
    CA's key file's password is needed, give the password originally used when creating the CA's key pair.

    13. Install the Server Certificate in Cisco ASA

    In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
    Browse for the signed certificate file, and click Install Certificate.
    Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):

    Code (Text):
     
    sh run crypto
     
    In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:

    crypto ca certificate chain ASDM_Trustpoint0
    certificate ca <ID>
    <cert contents>
    quit
    crypto ca certificate chain ASDM_Trustpoint1
    certificate <ID>
    <cert contents>
    quit

    Copy the certificate in the temporary trustpoint (ASDM_Trustpoint1) to the clipboard, starting from the line beginning with word "certificate" and ending with the line starting with "quit".

    Enter the configuration mode (command "conf t") and modify the real trustpoint (named ASDM_Trustpoint0 in this example):
    Code (Text):
    crypto ca certificate chain ASDM_Trustpoint0
     
    Paste the certificate copied to the clipboard. Execute command "exit" to exit trustpoint configuration.

    Remove the identity certificate from the temporary trustpoint:
    Code (Text):
     
    crypto ca certificate chain ASDM_Trustpoint1
    no certificate <ID>
    exit
     
    Remove the temporary trustpoint:
    Code (Text):
    no crypto ca trustpoint ASDM_Trustpoint1
    At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
    crypto ca certificate chain ASDM_Trustpoint0
    certificate <ID>
    <certificate contents>
    quit
    certificate ca <ID>
    <certificate contents>
    quit

    Save config (exit, write mem). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.

    14. As last part, a short checklist about all the locations that need some configuration in ASDM:

    Create IPSec Transform sets
    Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. (I named them android 1 & 2)

    Create IKE Policy
    A specific IKE Policy is needed. Configure a policy with these values:
    Encryption: 3DES
    Hash: SHA
    Authentication: rsa-sig
    D-H Group: 2

    Check IKE Parameters
    Check that IKE is enabled on WAN interface, and that NAT-T is enabled.
    Also see below to enable.

    Run the VPN Wizard AnyConnect:

    -Connection Profile: OUAndroid (as specified in the certificate)
    -VPN Protocols: SSL + IPSEC and choose the certificate
    -Add a client image (for example anyconnect-linux-2.3xxxk9-pkg)
    * only needed to continue the wizard *
    -AAA server Groups: LOCAL and create a user
    -Client Address: assign a DHCP pool for the connected clients
    -DNS: optional
    -NAT exempt: Exempt VPN traffic ON (choose right interface)
    -Allow Web Launch: NO

    Further settingss:
    Enable Ike1 on designated interface:
    Code (Text):
     
    crypto ikev1 enable <interface>
     
    Remote Access VPN - IPSec(IKEv1) Connection Profiles:

    Edit OUAndroid profile:

    Basic: check if "Identity Certificate" still holds the certificate
    Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
    Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
    Under Advanced - PPP, select only PAP.

    Site to Site VPN - Crypto Maps:

    Check if the IKEv1 IPSec Transform sets are selected (in my case sets android 1 & 2):

    dynamic: 65535.65535 1 any any ip Protect android1 android2 AES256 AES192 AES 3DES DES

    Group Policies (above): edit the OUAndroid policy
    Select only IPsec IKEv1 & L2TP/IPSec

    example:
    GroupPolicy_OUAndroid Internal l2tp-ipsec;ikev1 OUAndroid

    On the Xperia:

    Goto Wireless connections / VPN settings:
    Add VPN
    Choose VPN L2TP/IPSec CRT
    Enter VPN name (can be anything)
    VPN server: IP of CISCO ASA VPN server
    Select the user certificate (imported on phone)
    Select the ca-certificate (imported on phone)

    Press lower right button on Experia and SAVE

    Connect with username and password and if all goes well your connected !

    Goodluck

    Advertisement
    :
Loading...

Share This Page