Advertisement

Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365
« Restricted Active Directory Accounts with Cisco VPN 3000 Concentrator | Main | The gloomy side of Clouds »
Saturday
Jan212012

ICS comes with Cisco VPN compatibility [finally]

After upgrading my Xoom WiFi from Google’s Androide Honeycomb tablet OS to Ice Cream Sandwich 4.0.3 (ICS IML77), a functional Cisco-compatible VPN no longer eludes me.  I’ve got Cisco VPN3005s deployed — yes, they are EOL (end of life) — and read in the past how the 3005 would never work with Android.

My intial attempt of VPN with ICS looked promising, but was short-lived.  After quickly configuring an IPSec/PSK connection with the IPSec Identifier left at default which reads “not used”, I connected to the Base Group with a default IPSec group password set.  I saw from logs that ICS was trying to connect to connect to the VPNC_Base_Group which turns out to be the internal name of the Base Group, but then I’d get a user password error associated with the group name.

After triple-checking the password on the VPN Concentrator and reentering in ICS, still no luck.  So then I wondered if the IPSec Identifier in ICS could be the group name, and it turned out it is.  Honeycomb’s VPN had no provision for specifying the group name and defaulted to using its IP address as the group identifier; in fact, Honeycomb could only do L2TP IPSec (transport) instead of the pure IPSec (tunnel).

After connecting and seeing both IPSec phases 1and 2 completed, and seeing the VPN lock icon in the tablet’s notification area, I launched the VPN status and saw that bytes sent & received were stuck at zero for both.  But VPN was working. I browsed to our Intranet site and connected to a couple of network devices with ConnectBot from the Android market.   I also downloaded IfConfig and NetStat to see my DHCP-assigned IP address from the VPN concentrator and that a tun0 interface got created — which always showed 0 bytes sent and rec’vd —and that my local routing table was correct.  Now I’m ready to change VLANs on my Cisco 6509s interfaces at a moment’s notice.

20120121.1

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Textile formatting is allowed.