{"id":224,"date":"2015-02-23T12:28:20","date_gmt":"2015-02-23T12:28:20","guid":{"rendered":"http:\/\/iddles.co.uk\/blogs\/?p=224"},"modified":"2015-02-23T12:28:20","modified_gmt":"2015-02-23T12:28:20","slug":"windows-phone-8-1-to-cisco-asa-vpn","status":"publish","type":"post","link":"https:\/\/iddles.co.uk\/index.php\/2015\/02\/23\/windows-phone-8-1-to-cisco-asa-vpn\/","title":{"rendered":"Windows Phone 8.1 to Cisco ASA VPN"},"content":{"rendered":"

[There is next to no information availible on this around so this was borne out of experimentation and a lot of packet capture analytics]
\nUpdate:\u00a0 Since testing this I have since found that L2TP\/IPsec does not work if the ASA is behind a NAT device.\u00a0 This is because the WP81 device explicitly will not connect to a NAT-T device.\u00a0 There is a registry key on Windows to enable this, however nothing on WP8.\u00a0\u00a0 <\/strong>
\nWindows Phone 8.1 introduced a Native VPN client to the operating system.\u00a0 It allows L2TP\/IPsec and IPSEC IKEv2 nativly, and various SSL VPN providers via plug ins downloaded from the Windows Store.\u00a0 At the moment Juniper, Checkpoint and F5 have all made clients.\u00a0 Sadly Cisco has not yet, although is due to release one by mid 2015.
\nThis leaves organisations with a quandry not being able to support Windows Phone.\u00a0\u00a0 This is a shame as the platform appears to try to support strong authentication and encryption schemes where possible.
\nYou would like to think that Windows Phone supporting IKEv2 and Cisco AnyConnect 3.x\/4.x’s IPSEC implmentation using only IKEv2 that it would interoperate.\u00a0 Sadly it does not.\u00a0 The ASA – for some reason – always believes the Windows Phone to be a L2L (LAN to LAN\/Site to Site) VPN.\u00a0 Repeated attempts could not get this to work.
\n<\/del>Since writing the above and reading the Cisco documentation more, you need ASA to be at 9.3(2) or above to support 3rd Party IPSec clients.
\nIKEv2 Proposals send from Windows Phone (just for information) are:<\/p>\n\n\n\n\n\n\n\n
3DES<\/td>\n<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
3DES<\/td>\n<\/td>\nSHA256<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSHA256<\/td>\nDH Gp 2<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\nSHA384<\/td>\nDH Gp 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

I’m still battling the ASA\/WP81 connection using IKEv2 and certificates.\u00a0\u00a0 The configuration appears to be a little problematic and current working solutions rely on the use of EAP for the client authentication.\u00a0\u00a0 However, if you want to do plain, boring, RSA certificate authentication at both ends it does not work due to the ASA wanting to use RSA and the WP81 devices trying to ECDHA which the ASA dosent offer\u00a0 ….. [currently talking to TAC]
\nThis only leaves L2TP\/IPsec as an option, which the ASA does support.\u00a0 Effectivly this uses an IKEv1 IPSEC channel to tunnel L2TP over.\u00a0 L2TP is not a very secure protocol but is very good for tunneling, but over IPSEC it should be fine for most environments.\u00a0 As mentioned IKEv1 is used and the following modes are proposed from Windows Phone:<\/p>\n\n\n\n\n\n\n\n
AES-CBC<\/td>\n256<\/td>\n28800<\/td>\n\u00a0seconds<\/td>\nSHA1<\/td>\nDH Gp 20<\/td>\n<\/tr>\n
AES-CBC<\/td>\n128<\/td>\n28800<\/td>\nseconds<\/td>\nSHA1<\/td>\nDH Gp 19<\/td>\n<\/tr>\n
AES-CBC<\/td>\n256<\/td>\n28800<\/td>\nseconds<\/td>\nSHA1<\/td>\nDH Gp 14<\/td>\n<\/tr>\n
3DES<\/td>\n<\/td>\n28800<\/td>\nseconds<\/td>\nSHA1<\/td>\nDH Gp 14<\/td>\n<\/tr>\n
3DES<\/td>\n<\/td>\n28800<\/td>\nseconds<\/td>\nSHA1<\/td>\nDH Gp 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Testing with ASA code 9.2-ish (seems ok on 8.6-ish too), only the last mode (3DES, SHA1, DH Gp2) appears to work.\u00a0\u00a0 Not 100% sure of the reason, but I suspect Cisco only support DH Group 20, 19 and 14 when using IKEv2.\u00a0 Thus on ASA side you need to add:<\/p>\n

crypto ikev1 policy 5 (or whatever you have free)\n authentication rsa-sig\n encryption 3des\n hash sha\n group 2\n lifetime 28800<\/pre>\n
You then need to look at the IPSEC SA.\u00a0 The ‘best’ I found to work was using AES128 with SHA1 hash.\u00a0\u00a0 The Windows client differs to a standard client in that it uses TRANSPORT mode, as apposed to TUNNEL mode.\u00a0 Windows also has some values for SA lifetimes that need to be used.\u00a0 Thus ASA config needs the following:<\/p>\n
! Note:  My ASA external interface is called 'outside', YMMV\ncrypto dynamic-map outside_dyn_map 60000 set ikev1 transform-set ESP-AES-128-SHA-TRANS ESP-3DES-SHA-TRANS\ncrypto dynamic-map outside_dyn_map 60000 set security-association lifeftime seconds 3600\ncrypto dynamic-map outside_dyn_map 60000 set security-association lifeftime kilobytes 250000\n! Note: No PFS is supported\n! Note: NAT-T is enabled by default.<\/pre>\n
I could have ammended the standard dynamic crypto map to include these values but decides to keep it seperate.
\nNext challenge is authentication.\u00a0\u00a0 The ASA supports Certificate based, but Windows Phone only supports Pre Shared Key along with username and password.\u00a0 This can be passed to whatever AAA solution you may have defined within the ASA (such as Active Directory\/RADIUS\/even SecurID) or could be a local username and password.\u00a0\u00a0 Also the L2TP\/IPsec profile does not support the concept of a ‘group’ (which can be used to map to an ASA connection profile) thus the DefaultRAGroup<\/strong> has to be used.\u00a0 Heres hoping haven’t used this group for any of your client access \ud83d\ude42 \u00a0 If you have then you need to be very careful to break any existing access.
\nFirst you need to create a new group policy to attatch to the group<\/p>\n
group-policy GP-WinPhone internal\ngroup-policy GP-WinPhone attributes\n wins-server none\n dns-server value 10.x.x.x 192.168.x.x\n vpn-tunnel-protocol l2tp-ipsec\n pfs enable\n default-domain value yourdomain.local<\/pre>\n
This sets the protocol, client domain servers and name.\u00a0 Next update the tunnel group<\/p>\n
tunnel-group DefaultRAGroup general-attributes\n address-pool OneOfYourPools\n default-group-policy GP-WinPhone\n authentication-server-group LOCAL\n ! Set a different group here depending on local security policy\ntunnel-group DefaultRAGroup ipsec-attributes\n ikev1 pre-shared-key xxxxxxxxxx\n isakmp keepalive disable\ntunnel-group DefaultRAGroup ppp-attributes\n no authentication ppp\n no auuthentication ms-chap-v1\n authentication ms-chap-v2\n<\/pre>\n
This should be enough apart from adding a new local user for authentication.\u00a0 In the above I used the local user database.<\/p>\n
username myWinPhoUser password xxxxxxxxx nt-encrypted\nusername myWinPhoUser attributes\n service-type remote-access<\/pre>\n
That should get you a working connection ASA side.
\nFrom the Windows Phone side configure from Settings > VPN > Add:
\n\"wp_ss_20150223_0002\"<\/a>\u00a0 \"wp_ss_20150223_0001\"<\/a> \"wp_ss_20150223_0003\"<\/a> \"wp_ss_20150223_0004\"<\/a>
\nYou can decide to set a Proxy as need be.\u00a0 As discussed before, there is no way to use L2TP\/IPsec without a username and password being set.\u00a0 So you may as well use them either using a local user as additional Pre Shared Key or Active Directory Username and Password as additional authentication.
\nGood luck !<\/p>\n","protected":false},"excerpt":{"rendered":"
[There is next to no information availible on this around so this was borne out of experimentation and a lot of packet capture analytics] Update:\u00a0 Since testing this I have since found that L2TP\/IPsec does not work if the ASA is behind a NAT device.\u00a0 This is because the WP81 device explicitly will not connect […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[7,11],"tags":[25,63],"class_list":["post-224","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","tag-cisco-asa","tag-windows-phone","post-preview"],"_links":{"self":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=224"}],"version-history":[{"count":0,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/224\/revisions"}],"wp:attachment":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}