I am trying to configure my Cisco ASA 5510 running software version 8.2 to allow my Droid X to connect via L2TP/IPSec VPN. I have configured the DefaultRAGroup like so:
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy droid
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2
and the associated group policy:
group-policy droid internal
group-policy droid attributes
wins-server value (ip omitted)
dns-server value (ip omitted)
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
Watching the log while I try to connect from my phone, I get to "PHASE 2 COMPLETED" but then nothing else happens, and after a few more seconds, the phone says the connection failed. With full ipsec, isakmp, and l2tp debugs, I can see the IKE negotiation complete successfully and the IPSec SA established, then there are these messages:
IKEQM_Active() Add L2TP classification rules: ip <72.121.92.238> mask <0xFFFFFFFF> port <1701>
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <72.121.92.238> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1> np_rule_id <0xd84fa348>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1> np_rule_id <0xd850ad08>
...and nothing else happens. No L2TP traffic flows, and there are no error messages. Inspecting "show vpn-sessiondb" indicates the ASA believes it has established ISAKMP and IPSec associations, but there are no L2TP/IPSec sessions. Has anyone gotten this working; or, failing that, any ideas for how to further troubleshoot this problem?
Edit: Additional testing has shown that it works with a non-android L2TP client, it works from the Droid X over WiFi, but it does NOT work from the Droid X over Verizon's wireless data network. I have filed a bug in the android tracker here: http://code.google.com/p/android/issues/detail?id=9950
The problem is the split tunneling. I'm actually surprised you got it working in the first place with the stock vpn client. It's crap.
Anyway, the major carriers usually assign a private 10.0.0.0/8 ip to their devices, so when you try to split tunnel it fails as it can't determine what's tunneled and what's not. Enjoy.
The bug report I submitted to the AOSP was closed years ago as "won't fix (Obsolete)," and the Cisco TAC told other users that this configuration was not supported.
I'm looking to do this too. See Cisco Forums for a discussion how how someone else got this working (I'm guess you saw this too).
Editing the DefaultRAGroup seems a bit nasty. There is some discussion that AnyConnect will work in future because of a Cisco Android project (Cius), but the licensing costs for AnyConnect are a bit high compared to IPSEC. I'm holding out for a IPSEC/L2TP or pure IPSEC solution.