VPN Issue

[sir]

Not really an issue with the phone as much as a missing feature, but none of the VPN Profiles in Eclair allow you to enter the "Group Name" and "Group Password" that some Cisco (and other?) VPN configurations need.

If you know you need to enter a group name or password for your VPN connection, I haven't been able to find a way to make it work and everything I've found on the Internet has led me to believe it's not possible at this time.

/me hopes someone can prove me wrong

[ppphfwhatever]

i was playing around with this today too and gave up for now

[castalia]

I have been trying to find a way to do this all day. So far all things lead me to thinking you have root the device and follow those steps. Of course I am as of yet not willing to root my phone. Has anyone had success with a CISCO style VPN connection?

[sir]

even if you were willing, you'd have to wait for someone to figure out how to root the device first

[castalia]

Well yes. I am aware that it isn't possible to root the Droid yet. Just curious if anyone had seen a way that did not involving rooting.

[sir]

For all who want this feature added:

Issue 3902 - android - Feature Request: "pure" ipsec vpn client (cisco-compatible) - Project Hosting on Google Code

Go there and give it a * so they pay attention to the need for this feature.

[Tekmazter]

I've made some progress on this today. I'm able to complete both Phase 1 and Phase II of the tunnel negotiation using the Droid and CISCO 3000 concentrator. At this point I am able to complete the VPN handshake and something in the auth process fails at the very end. In other words, I can get the VPN to connect and build a tunnel.

Just as I see traffic being passed (I do see packets encrypt and decrypt meaning two-way flow of traffic in the tunnel) I get bumped. Logs are below. Anyone else working with CISCO 3000's can also validate my work.

%IKE-5-120: RPT=28091: 75.195.28.21: Group [75.195.28.21] PHASE 2 COMPLETED (msgid=d0a5afb9

%L2TP-5-57: RPT=4: 75.195.28.21: Tunnel to peer 75.195.28.21:50662 established

%L2TP-5-53: RPT=4: 75.195.28.21: Session started on tunnel 75.195.28.21:50662

L2TP-5-47: RPT=4: 75.195.28.21: Session closed on tunnel 75.195.28.21:50662 (peer 59497, local 21768, serial 302617193), reason: Call disconnected for administrative reasons

%L2TP-5-33: RPT=4: 75.195.28.21: Exceeded rexmit limit of 4 to 75.195.28.21:50662 (Ss:3, last Nr:2)

%L2TP-5-46: RPT=4: 75.195.28.21: Tunnel to peer 75.195.28.21:50662 closed, reason: Peer no longer responding


The group is set to use Domain authentication, not RADIUS. I'm not sure where it's failing in the auth process at this point, but that is where I'll continue to troubelshoot. Most likely I'll add a local user account on the 3000 and see if I can get it to successfully auth from there.

The one caveat here which tells us how close this thing is to prime time is the group name. I had to create a new group on my Concentrator and set it to the IP address of my phone at the time of the connection. It appears that Verizon changes their IP's far less frequently than say AT&T and a BB I have. I've confirmed this using WhatIsMyIP.com. If you do not set the group name on the Concentrator to the IP of the phone at the time, the 3000 will not recognize the Droid VPN connection group and simply drop you at the door. This is important information however, as one would think that adding a field to specify a Group name would be easier than adding other functionality such as true IPsec VPN capabilities which BTW the Droid does not do!

Here are my notes from the setup:

Group Name is IP Address of Phone
Password for group name matches password I used on my Phone
You must enable L2TP over IPsec on the CISCO appliance
My IPsec SA on the CISCO 3000 is set to use ESP-L2TP-TRANSPORT

I'll update this post again with more information when I have some more time to troubleshoot.

[village]

This is mostly a clarification for other technically challenged people such as myself. You need to be logged into your google account to vote on issues by starring them.

It took me a little while to figure out that starring an issue to vote for it is simply clicking the star to the left of the word "ISSUE". So I did it.

It became much more clear to me at the following site, how the "voting with stars" system works. If you're inclined to have your wishes come true, go to Issues - android - Project Hosting on Google Code and click "Sign in" at the top right corner of the screen, do so and you'll be able to click (the white and almost invisible) stars to the left of the issues that are most important to you such as issue 1281 (a flash player for the droid) or flash support for the droid.

[sir]

I unstarred it because I was sick and tired of people commenting on it and it sending me an email. No one realizes that if you want something done you just have to star it. They don't bother with comments like that.

[Brindall]

For those interested in a Droid to Cisco VPN...

I have not created a fully successful connection yet, but I have been messing with this off and on for a while and have learned some interesting stuff I will pass along.

I am working with a Cisco ASA 5520.
The groupname must be 'DefaultRAGroup' since the Droid doesn't specifically handle groupnames. The name on your Droid prob needs to be the same.
You must set a transform set to transport mode since L2TP is transport mode only, not tunnel, and make sure this new transform is added to the dynamic crypto map.

With these settings I am now completing Phase 2 of the VPN connection successfully, but still the Droid drops the connection. I don't know why the Droid won't complete the connection, but I think I am getting close...