Blackberry Playbook to Cisco ASA VPN

Howto connect a playbook to a Cisco ASA security appliance with IPSec

The PlayBook comes out of the box with a very capable VPN client. There are quite a few posts and blogs out there on how to set up the playbook side of things, but very little about the other, Cisco ASA end. IPSec is a very fickle beast, and depends on Both ends of the connection being set up properly.

Usual Disclaimer: If you misconfigure your firewall and somebody breaks in and steals / destroys your data, following this guide does not in any way make me liable for your loss.

I've seen plenty of posts blaming the playbook when the real problem lies with the configuration on the Cisco Device. This configuration works for me, and is intended to show the required settings on both ends of the connection, You may or may not be able to adjust the ASA side, depending on Corporate security policy, are you the admin responsible etc.

Lets get started, you will need a few things:

1. A Blackberry Playbook ;)

2. A Cisco ASA 5505 or better security appliance

3. Administrative access to said appliance, or a co-operative admin who does, and a good understanding of the cisco IPSec implementation.

4. A BACK UP OF YOUR ASA CONFIGURATION

5. A Second back up of the ASA configuration.

This document has some color coding:

blue - ASA configuration directives

orange - information you supply

Bold Orange - Parameters MUST Match between the ASA and the Playbook

ASA Configuration

The ASA has to allow ipsec traffic to it's outside interface: (two lines, mind the wrapping)

access-list outside-rules extended permit udp any host <IP_of_the_asa> eq isakmp
access-list outside-rules extended permit esp any host <IP_of_the_asa>

You need a pool of IP addresses to assign to your VPN clients: (single line)

ip local pool vpn_client_pool <start_IP_Address>-<end_IP_Address> mask <subnet_mask>

The ASA needs to allow vpn traffic to pass through. There's two ways to do this:

sysopt connection permit ipsec

or an access list entry to the outside interface allowing the traffic from the vpn subnet to the inside networks.

access-list outside-rules extended permit ip <vpn_client_net> <netmask> <inside_nets> <netmask>

We use a Radius server for VPN Auth from clients, there are other authentication mechanisms.. so you may or may not need this.

aaa-server vpn_clients protocol radius
aaa-server vpn_clients (inside) host <IP_of_the_radius_server>
 key *****
 authentication-port 1812
 accounting-port 1813

instead of "protocol radius", you can use "protocol local" and supply usernames and passwords on the command line of the appliance:

 username playbookuser password <Secret_Password> privilege 0

This option is not really related, but I find that on a VPN router, each encrypted packet can get too big (greater than 1500 bytes) and has to be fragmented to be sent out, I noticed my Playbook was having MTU trouble, so I set this to keep all traffic less than 1500 bytes:

sysopt connection tcpmss 1270

Here comes the crypto stuff.. first line sets the encryption algorithms, second one sets the amount of time before the IPSec Tunnel needs to be re negotiated (8 hours) , Fourth is the ammount of data (4GB in this case) Pick what you want in these two cases. The fifth line forces the ASA to fragment packets if they are too large, even if the hosts set the "Do not fragment" bit. The last line defines a dynamic ipsec map, and applies the transform set from line 1.

crypto ipsec transform-set trans_set_1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4194303
crypto ipsec df-bit clear-df outside
crypto dynamic-map vpn_clients_map 10 set transform-set trans_set_1

This maps the IKE (Internet Key Exchange) that allows the above negotiations to take place, and applies the map to the outside (Public Internet) interface of the device:

crypto map client_vpn 65535 ipsec-isakmp dynamic vpn_clients_map
crypto map client_vpn interface outside

Thiese are the actual IKE parameters, Note, the ASA can have more than one of these, for different types of VPNs:

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

VERY IMPORTANT:

By default an ASA ships with the following directive:

no crypto isakmp nat-traversal

The PlayBook will not connect if this is present in your config. Get rid of it by typing:

crypto isakmp nat-traversal

Yes, backwards, not a Typo. This line controls how the ASA handles clients behind NAT Devices. The Cisco VPN client for windows does not care if this is here or not, but the PlayBook does. once the command is entered, you won't see it when you show the running config.

Now you need a Group to assign information to the VPN Clients. My group below includes laptops and remote users, so I have splittunnel set up. The Playbook ignores the split tunnel part of the configuration, hence why it cannot connect to the public Internet directly when connected to the VPN

group-policy vpn_client_group internal
group-policy vpn_client_group attributes
 wins-server value <primary_WINS_Server_IP> <secondary_WINS_server_IP>
 dns-server value <primary_DNS_server_IP> <secondary_DNS_server_IP>
 vpn-idle-timeout 20
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel

And finally, you need to define the group name and pre shared keys, these commands bind together the tunnel group policy with a group name and preshared key:

tunnel-group vpn_client_tunnel_group type remote-access
tunnel-group vpn_client_tunnel_group general-attributes
 address-pool vpn_client_pool
 authentication-server-group vpn_clients
 default-group-policy vpn_client_group
tunnel-group vpn_client_tunnel_group ipsec-attributes
 pre-shared-key <secret_password>
 isakmp keepalive threshold 40 retry 5

On to the PlayBook Configuration:

Choose Settings --> Security --> VPN --> Add New

Profile Name            <whatever_you_want>

Server Address         <Outside_Internet_Address_Of_Your_ASA>

Gateway Type          Cisco ASA

Authentication Type  XAUTH-PSK

Group Username       vpn_client_tunnel_group

Group Password        <secret_password>

Username                 <username> (your vpn credentials, or the user pass entered into the asa)

Password                  <Your_Password>

Check Automaitcally Determine IP and DNS

IKE Lifetime (seconds)    28800

IPSec Lifetime (seconds) 3600

NAT Keepalive (seconds)  30

DPD Frequency (seconds) 240

Notes:

You can get outside http and https access while being connected to the VPN by setting up a proxy server on your corporate network. On the Playbook under the VPN configuration screen from above, at the bottom you will see Use HTTP Proxy. check it off, and enter the IP address and port for your proxy server, along with credentials. This allows the browser, app world, and some apps (Not IM+) to go out through the proxy server to the public Internet.

This works for me using the following OS versions:

ASA 5520 OS Ver 8.2(5) with the free Strong Encryption license from Cisco

PlayBook OS 1.0.8.6067

Rob Thursday 26 January 2012 - 1:56 pm | | Default

three comments

Sal

First of all thank you for providing a good documentation, I followed this config however I still can’t connect my paybook to asa 5510 ver 8.2(2)… playbook error Failed to established vpn connection. (Timeout).

Sal, - 02-04-’12 13:56
Chris

Thanks for this guide. Adding the acl entries for esp & isakmp as well as enabling nat traversal not only allowed my playbook to connect to the VPN after hours of frustration, but also solved a longstanding issue where I could get a VPN tunnel connected to my ASA from behind my pix 506e @ home, but couldn’t pass traffic to any of the networks behind the ASA. In the past I’d just connect via WWAN instead of WLAN if I needed to VPN. Now I can vpn from behind my pix on both my laptop and playbook :D

I’m guessing it’s a limitation in the playbooks vpn implementation, but if there were a way to utilize a split tunnel rather than having to setup a proxy this would be perfect.

I’ve only owned my playbook for 6 hours, but if I can find an RDP app that’ll connect via MDS and find a bar (or can find & convert an APK) for Citrix’s GoToManage product I’ll be in heaven.

Chris, - 12-06-’12 18:14
MGR

I have a blackberry bold 9000 and i would like to connect to my ASA so that i can use some voip product inside my network. Can this be done? I only see settings for a pix. I am running OS 5 on the BB. The ASA is configured for anyconnect vpn clients. I have the anyconnect on laptops, iphones and andriods and they work file. I just need to get the vpn on the BB. Please let me know if you can help.

MGR

MGR, - 26-06-’12 21:30
(optional field)
(optional field)
To prevent automated comment spam, I require you to answer this silly question

Comment moderation is enabled on this site. This means that your comment will not be visible until it has been approved by an editor.

Remember personal info?
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.