After two nights finally got the Xperia Mini VPN client connected to a CISCO 5505
So I thought lets share this who is interested (text mostly from other forum & adjusted):
1. Install OpenSSL & MS Visual C++ 2008 Redistributable
(needed to create certificate)
Note: All openSSL certificate commands in this article are executed in the C:\OpenSSL-Win32\bin folder
Open Dosbox (cmd) and goto folder: C:\OpenSSL-Win32\bin
type:
2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
3. Create a self-signed certificate for the CA.
4. To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OU
Common Name = COMMONCA
Email Address = <leave empty>
5. Create a Client Certificate Request
Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
6. Create a certificate request for a client certificate.
7. To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OUAndroid
Common Name = AndroidClient
Email Address = <leave empty>
Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "OUAndroid" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.
8. To sign the client's certificate request using the CA's key, use the following command:
CA's key file's password is needed, give the password originally used when creating the CA's key pair.
9. Transform the .pem-format certificate to a pkcs#12 file:
The pkcs#12 file is now ready to imported to an Android device:
-Copy client_crt.p12 to the root of the SDcard
-Goto Settings: Location & Security / Install Certificate from SDcard
-Enter password to unpack and install the certificate
10. Import the CA Certificate to Cisco ASA
Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.
Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.
Click Install Certificate. (client_crt.pem in the \bin folder)
11. Create a Server Certificate Request
In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.
Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "ciscoasa" there (my default cisco hostname)
Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem" (in the \bin folder)
12. Sign the Server Certificate Request Using the CA
To sign the server's certificate request using the CA's key, use the following command:
CA's key file's password is needed, give the password originally used when creating the CA's key pair.
13. Install the Server Certificate in Cisco ASA
In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
Browse for the signed certificate file, and click Install Certificate.
Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):
In the output, both trustpoints previously created should be visible, with one certificate each, like in the following:
crypto ca certificate chain ASDM_Trustpoint0
certificate ca <ID>
<cert contents>
quit
crypto ca certificate chain ASDM_Trustpoint1
certificate <ID>
<cert contents>
quit
Copy the certificate in the temporary trustpoint (ASDM_Trustpoint1) to the clipboard, starting from the line beginning with word "certificate" and ending with the line starting with "quit".
Enter the configuration mode (command "conf t") and modify the real trustpoint (named ASDM_Trustpoint0 in this example):
Paste the certificate copied to the clipboard. Execute command "exit" to exit trustpoint configuration.
Remove the identity certificate from the temporary trustpoint:
Remove the temporary trustpoint:
At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain ASDM_Trustpoint0
certificate <ID>
<certificate contents>
quit
certificate ca <ID>
<certificate contents>
quit
Save config (exit, write mem). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.
14. As last part, a short checklist about all the locations that need some configuration in ASDM:
Create IPSec Transform sets
Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. (I named them android 1 & 2)
Create IKE Policy
A specific IKE Policy is needed. Configure a policy with these values:
Encryption: 3DES
Hash: SHA
Authentication: rsa-sig
D-H Group: 2
Check IKE Parameters
Check that IKE is enabled on WAN interface, and that NAT-T is enabled.
Also see below to enable.
Run the VPN Wizard AnyConnect:
-Connection Profile: OUAndroid (as specified in the certificate)
-VPN Protocols: SSL + IPSEC and choose the certificate
-Add a client image (for example anyconnect-linux-2.3xxxk9-pkg)
* only needed to continue the wizard *
-AAA server Groups: LOCAL and create a user
-Client Address: assign a DHCP pool for the connected clients
-DNS: optional
-NAT exempt: Exempt VPN traffic ON (choose right interface)
-Allow Web Launch: NO
Further settingss:
Enable Ike1 on designated interface:
Remote Access VPN - IPSec(IKEv1) Connection Profiles:
Edit OUAndroid profile:
Basic: check if "Identity Certificate" still holds the certificate
Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
Under Advanced - PPP, select only PAP.
Site to Site VPN - Crypto Maps:
Check if the IKEv1 IPSec Transform sets are selected (in my case sets android 1 & 2):
dynamic: 65535.65535 1 any any ip Protect android1 android2 AES256 AES192 AES 3DES DES
Group Policies (above): edit the OUAndroid policy
Select only IPsec IKEv1 & L2TP/IPSec
example:
GroupPolicy_OUAndroid Internal l2tp-ipsec;ikev1 OUAndroid
On the Xperia:
Goto Wireless connections / VPN settings:
Add VPN
Choose VPN L2TP/IPSec CRT
Enter VPN name (can be anything)
VPN server: IP of CISCO ASA VPN server
Select the user certificate (imported on phone)
Select the ca-certificate (imported on phone)
Press lower right button on Experia and SAVE
Connect with username and password and if all goes well your connected !
Goodluck
So I thought lets share this who is interested (text mostly from other forum & adjusted):
1. Install OpenSSL & MS Visual C++ 2008 Redistributable
(needed to create certificate)
Note: All openSSL certificate commands in this article are executed in the C:\OpenSSL-Win32\bin folder
Open Dosbox (cmd) and goto folder: C:\OpenSSL-Win32\bin
type:
Code:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg2. Create CA key pair. Key file is password protected, so give some password for the key file when queried by OpenSSL.
Code:
openssl genrsa -out CA_key.pem -des3 20483. Create a self-signed certificate for the CA.
Code:
openssl req -new -key CA_key.pem -x509 -days 365 -out CA_crt.pem4. To be able to generate the certificate based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 2. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OU
Common Name = COMMONCA
Email Address = <leave empty>
5. Create a Client Certificate Request
Create a key pair for the client. Key file is password protected, so give some password for the key file when queried by OpenSSL.
Code:
openssl genrsa -out client_key.pem -des3 20486. Create a certificate request for a client certificate.
Code:
openssl req -new -key client_key.pem -out client_csr.pem7. To be able to generate the certificate request based on the private key, the password for the key file is needed. Give the password given when originally creating the key file in step 1. The command also needs the details for the DN (Distinguished Name) of the certificate. Use for example the following values:
Country Code = US
State = TX
Locality = Houston
Organization = Company
Organizational Unit = OUAndroid
Common Name = AndroidClient
Email Address = <leave empty>
Note that by default Cisco uses the Organizational Unit -field as the name of VPN tunnel group. For example, with the certificate configured as above, the VPN tunnel group must be named "OUAndroid" in ASA. OpenSSL also asks values for optional "challenge password" and "company name" fields. Leave these fields blank.
8. To sign the client's certificate request using the CA's key, use the following command:
Code:
openssl x509 -req -in client_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out client_crt.pem -days 365 -CAcreateserial -CAserial CA.seqCA's key file's password is needed, give the password originally used when creating the CA's key pair.
9. Transform the .pem-format certificate to a pkcs#12 file:
Code:
openssl pkcs12 -export -out client_crt.p12 -inkey client_key.pem -in client_crt.pem -certfile CA_crt.pemThe pkcs#12 file is now ready to imported to an Android device:
-Copy client_crt.p12 to the root of the SDcard
-Goto Settings: Location & Security / Install Certificate from SDcard
-Enter password to unpack and install the certificate
10. Import the CA Certificate to Cisco ASA
Log in to Cisco ASA using ASDM tool, and open Configuration - Remote Access VPN - Certificate Management - CA Certificates.
Click Add, and in Install from a file -field, browse the CA certificate file created previously. Trustpoint name can be left as the default, or it can be changed to something more descriptive.
Click Install Certificate. (client_crt.pem in the \bin folder)
11. Create a Server Certificate Request
In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Click Add. Select Add a new identity certificate. There is a bug in ASA which prevents creating the identity certificate directly in an existing trustpoint. Thus, a different trustpoint must be selected compared to what was used for the CA certificate. The certificate will be moved to the same trustpoint manually later.
Select the subject DN fields by clicking Select. Add same values as for the client, except for the Common Name (CN) field. Use e.g. "ciscoasa" there (my default cisco hostname)
Click Add Certificate, and save the certificate request to a file, e.g. "server_csr.pem" (in the \bin folder)
12. Sign the Server Certificate Request Using the CA
To sign the server's certificate request using the CA's key, use the following command:
Code:
openssl x509 -req -in server_csr.pem -CA CA_crt.pem -CAkey CA_key.pem -out server_crt.pem -days 365 -CAserial CA.seq13. Install the Server Certificate in Cisco ASA
In Cisco ASDM, select Configuration - Certificate Management - Identity Certificates. Select the pending certificate, and click Install.
Browse for the signed certificate file, and click Install Certificate.
Identity certificate is still in the wrong trustpoint. It must be manually moved to the same trustpoint with the server certificate. Open and SSH or Telnet connection to ASA, and run command (all commands are expected to be executed in enable and/or configure mode):
Code:
sh run cryptoIn the output, both trustpoints previously created should be visible, with one certificate each, like in the following:
crypto ca certificate chain ASDM_Trustpoint0
certificate ca <ID>
<cert contents>
quit
crypto ca certificate chain ASDM_Trustpoint1
certificate <ID>
<cert contents>
quit
Copy the certificate in the temporary trustpoint (ASDM_Trustpoint1) to the clipboard, starting from the line beginning with word "certificate" and ending with the line starting with "quit".
Enter the configuration mode (command "conf t") and modify the real trustpoint (named ASDM_Trustpoint0 in this example):
Code:
crypto ca certificate chain ASDM_Trustpoint0Remove the identity certificate from the temporary trustpoint:
Code:
crypto ca certificate chain ASDM_Trustpoint1
no certificate <ID>
exit
Code:
no crypto ca trustpoint ASDM_Trustpoint1At this point, the certificate configuration should look like this (both certificates are under the same trustpoint):
crypto ca certificate chain ASDM_Trustpoint0
certificate <ID>
<certificate contents>
quit
certificate ca <ID>
<certificate contents>
quit
Save config (exit, write mem). Refresh configuration in ASDM, and verify from there also that certificates are under the same trustpoint.
14. As last part, a short checklist about all the locations that need some configuration in ASDM:
Create IPSec Transform sets
Android uses IPSec transport mode, so there need to be transform sets with Transport mode enabled. Configure these transform sets: ESP-AES-128-SHA-TRANSP and ESP-3DES-SHA-TRANSP. (I named them android 1 & 2)
Create IKE Policy
A specific IKE Policy is needed. Configure a policy with these values:
Encryption: 3DES
Hash: SHA
Authentication: rsa-sig
D-H Group: 2
Check IKE Parameters
Check that IKE is enabled on WAN interface, and that NAT-T is enabled.
Also see below to enable.
Run the VPN Wizard AnyConnect:
-Connection Profile: OUAndroid (as specified in the certificate)
-VPN Protocols: SSL + IPSEC and choose the certificate
-Add a client image (for example anyconnect-linux-2.3xxxk9-pkg)
* only needed to continue the wizard *
-AAA server Groups: LOCAL and create a user
-Client Address: assign a DHCP pool for the connected clients
-DNS: optional
-NAT exempt: Exempt VPN traffic ON (choose right interface)
-Allow Web Launch: NO
Further settingss:
Enable Ike1 on designated interface:
Code:
crypto ikev1 enable <interface>Remote Access VPN - IPSec(IKEv1) Connection Profiles:
Edit OUAndroid profile:
Basic: check if "Identity Certificate" still holds the certificate
Under Advanced - IPSec, set IKE Peer ID Validation to Do not check.
Under Advanced - IPSec, set IKE keepalives to Disable keepalives.
Under Advanced - PPP, select only PAP.
Site to Site VPN - Crypto Maps:
Check if the IKEv1 IPSec Transform sets are selected (in my case sets android 1 & 2):
dynamic: 65535.65535 1 any any ip Protect android1 android2 AES256 AES192 AES 3DES DES
Group Policies (above): edit the OUAndroid policy
Select only IPsec IKEv1 & L2TP/IPSec
example:
GroupPolicy_OUAndroid Internal l2tp-ipsec;ikev1 OUAndroid
On the Xperia:
Goto Wireless connections / VPN settings:
Add VPN
Choose VPN L2TP/IPSec CRT
Enter VPN name (can be anything)
VPN server: IP of CISCO ASA VPN server
Select the user certificate (imported on phone)
Select the ca-certificate (imported on phone)
Press lower right button on Experia and SAVE
Connect with username and password and if all goes well your connected !
Goodluck