At my work, I've seen the same. iPhone's can connect to our Cisco IPSEC VPN. They don't have to put in the group id or password. So I was hopeful. I picked up a Droid on Friday. Over the weekend, I tried everything I could think of (and called some lifelines) but no luck. The Droid would not connect. So, no access to my intranet sites and only email access via a web interface.
I liked the Droid A LOT but it went back today. I voted and wait with fingers crossed for this issue to be resolved.
Well I posted this on the Droid forums site and it seems to make sense to post it here as well. I've done some testing in this area and I"m pretty close. Please have a look ...
I'm successful in completing both Phase 1 and Phase II of the tunnel negotiation using the Droid and CISCO 3000 concentrator. I am able to complete the VPN handshake noting that I see packets encap, encrypt, decap, decrypt etc...
At this point, something in the auth process fails once the device is connected to my CISCO concentrator. In other words, I can get the VPN to connect and build a tunnel but once it's on the network, it goes no further. This proves out the group ID and password as both happen during Phase I which I am successful in completing.
Just as I see traffic being passed, I get bumped. Logs are below. Anyone else working with CISCO 3000's can also validate my work.
%IKE-5-120: RPT=28091: 75.195.28.21: Group [75.195.28.21] PHASE 2 COMPLETED (msgid=d0a5afb9
%L2TP-5-57: RPT=4: 75.195.28.21: Tunnel to peer 75.195.28.21:50662 established
%L2TP-5-53: RPT=4: 75.195.28.21: Session started on tunnel 75.195.28.21:50662
L2TP-5-47: RPT=4: 75.195.28.21: Session closed on tunnel 75.195.28.21:50662 (peer 59497, local 21768, serial 302617193), reason: Call disconnected for administrative reasons
%L2TP-5-33: RPT=4: 75.195.28.21: Exceeded rexmit limit of 4 to 75.195.28.21:50662 (Ss:3, last Nr:2)
%L2TP-5-46: RPT=4: 75.195.28.21: Tunnel to peer 75.195.28.21:50662 closed, reason: Peer no longer responding
The group is set to use Domain authentication, not RADIUS. I'm not sure where it's failing in the auth process at this point, but that is where I'll continue to troubelshoot. Most likely I'll add a local user account on the 3000 and see if I can get it to successfully auth from there.
The one caveat here which tells us how close this thing is to prime time is the group name. I had to create a new group on my Concentrator and set it to the IP address of my phone at the time of the connection. It appears that Verizon changes their IP's far less frequently than say AT&T and a BB I have. I've confirmed this using WhatIsMyIP.com. If you do not set the group name on the Concentrator to the IP of the phone at the time, the 3000 will not recognize the Droid VPN connection group and simply drop you at the door. This is important information however, as one would think that adding a field to specify a Group name would be easier than adding other functionality such as true IPsec VPN capabilities which BTW the Droid does not do!
Here are my notes from the setup:
Group Name is IP Address of Phone
Password for group name matches password I used on my Phone
You must enable
L2TP over IPsec on the CISCO appliance
My IPsec SA on the CISCO 3000 is set to use
ESP-L2TP-TRANSPORT
I'll update this post again with more information when I have some more time to troubleshoot.