Hi everyone,
With the amount of Android devices out there, we are looking to accommodate the L2TP over IPSec VPN capabilities of these users. TLDR: Android asks for Plain Chap authentication and Astaro at the moment says "nope'.
Rather than develop support in ASG for plain chap, another solution which brings the feature available much sooner is to have ASG just respond with "no, but give me ChapV2" which most Android devices can actually do just fine. Also we don't want to have anyone need to root their phone or do complex operations. However rather than just say you MUST have android 2.3 and on a "new" phone, we'd like to know the results others have on various hardware and android-version combinations.
The solution is quite easy to "test".
On ASG
1) enable and configure L2TP in Webadmin the way you want it
2) login to ASG as root and go to /var/chroot-ipsec/etc/ppp
3) edit (joe or pico) "options" (if you havent enabled l2tp in webadmin yet this file wont exist, just a defaults file, see step 1).
4) at the bottom of the file, add the line "require-mschap-v2" (no quotes, no caps).
5) save the file
6) *OPTIONAL* restart IPSec service (warning will disconnect site-site tunnels and connected roadwarriors!) /var/mdw/scripts/ipsec-starter restart) optional because PPP options get applied during L2TP client reconnect, but if you notice weird log entry spam or oddities it might help.
On your Android Phone:
1) make an L2TP over IPSec with PSK connection to your ASG. (eg. Settings-->Wireless and network-->VPN Settings--"Add VPN")
*note that enable L2TP secret should be left blank!
Now connect. You should get a tunnel. Let us know how you did, and if this affects anything else like other L2TP tunnels which were working fine, or any abnormalities. If a tunnel wont connect, please give us a snippet of the ipsec.log (preferably with debug options from the advanced tab in ASG enabled).
**Remember** if you cause ASG to rewrite the options file (by say making a change to L2TP in WebAdmin) you need to re-add that line to the options file again. Please double check that your addition is still there to the options file before claiming it doesn't work. A few testers have made this mistake already. You can also add the line to options-default. This way it stays if mdw rewrites the options file, but then is more permanent, which you might not want to "test" with.
Anything we can do to help? Let us know! We will look to add this for 8.200 if it looks promising without any big downfalls perhaps.
Guest User!
You are not Sophos Staff.
