Blackberry Playbook to Cisco ASA VPN
Howto connect a playbook to a Cisco ASA security appliance with IPSec
The PlayBook comes out of the box with a very capable VPN client. There are quite a few posts and blogs out there on how to set up the playbook side of things, but very little about the other, Cisco ASA end. IPSec is a very fickle beast, and depends on Both ends of the connection being set up properly.
Usual Disclaimer: If you misconfigure your firewall and somebody breaks in and steals / destroys your data, following this guide does not in any way make me liable for your loss.
I've seen plenty of posts blaming the playbook when the real problem lies with the configuration on the Cisco Device. This configuration works for me, and is intended to show the required settings on both ends of the connection, You may or may not be able to adjust the ASA side, depending on Corporate security policy, are you the admin responsible etc.
Lets get started, you will need a few things:
1. A Blackberry Playbook ;)
2. A Cisco ASA 5505 or better security appliance
3. Administrative access to said appliance, or a co-operative admin who does, and a good understanding of the cisco IPSec implementation.
4. A BACK UP OF YOUR ASA CONFIGURATION
5. A Second back up of the ASA configuration.
This document has some color coding:
blue - ASA configuration directives
orange - information you supply
Bold Orange - Parameters MUST Match between the ASA and the Playbook
ASA Configuration
The ASA has to allow ipsec traffic to it's outside interface: (two lines, mind the wrapping)
access-list outside-rules extended permit udp any host <IP_of_the_asa> eq isakmp
access-list outside-rules extended permit esp any host <IP_of_the_asa>
You need a pool of IP addresses to assign to your VPN clients: (single line)
ip local pool vpn_client_pool <start_IP_Address>-<end_IP_Address> mask <subnet_mask>
The ASA needs to allow vpn traffic to pass through. There's two ways to do this:
sysopt connection permit ipsec
or an access list entry to the outside interface allowing the traffic from the vpn subnet to the inside networks.
access-list outside-rules extended permit ip <vpn_client_net> <netmask> <inside_nets> <netmask>
We use a Radius server for VPN Auth from clients, there are other authentication mechanisms.. so you may or may not need this.
aaa-server vpn_clients protocol radius
aaa-server vpn_clients (inside) host <IP_of_the_radius_server>
key *****
authentication-port 1812
accounting-port 1813
instead of "protocol radius", you can use "protocol local" and supply usernames and passwords on the command line of the appliance:
username playbookuser password <Secret_Password> privilege 0
This option is not really related, but I find that on a VPN router, each encrypted packet can get too big (greater than 1500 bytes) and has to be fragmented to be sent out, I noticed my Playbook was having MTU trouble, so I set this to keep all traffic less than 1500 bytes:
sysopt connection tcpmss 1270
Here comes the crypto stuff.. first line sets the encryption algorithms, second one sets the amount of time before the IPSec Tunnel needs to be re negotiated (8 hours) , Fourth is the ammount of data (4GB in this case) Pick what you want in these two cases. The fifth line forces the ASA to fragment packets if they are too large, even if the hosts set the "Do not fragment" bit. The last line defines a dynamic ipsec map, and applies the transform set from line 1.
crypto ipsec transform-set trans_set_1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4194303
crypto ipsec df-bit clear-df outside
crypto dynamic-map vpn_clients_map 10 set transform-set trans_set_1
This maps the IKE (Internet Key Exchange) that allows the above negotiations to take place, and applies the map to the outside (Public Internet) interface of the device:
crypto map client_vpn 65535 ipsec-isakmp dynamic vpn_clients_map
crypto map client_vpn interface outside
Thiese are the actual IKE parameters, Note, the ASA can have more than one of these, for different types of VPNs:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
VERY IMPORTANT:
By default an ASA ships with the following directive:
no crypto isakmp nat-traversal
The PlayBook will not connect if this is present in your config. Get rid of it by typing:
crypto isakmp nat-traversal
Yes, backwards, not a Typo. This line controls how the ASA handles clients behind NAT Devices. The Cisco VPN client for windows does not care if this is here or not, but the PlayBook does. once the command is entered, you won't see it when you show the running config.
Now you need a Group to assign information to the VPN Clients. My group below includes laptops and remote users, so I have splittunnel set up. The Playbook ignores the split tunnel part of the configuration, hence why it cannot connect to the public Internet directly when connected to the VPN
group-policy vpn_client_group internal
group-policy vpn_client_group attributes
wins-server value <primary_WINS_Server_IP> <secondary_WINS_server_IP>
dns-server value <primary_DNS_server_IP> <secondary_DNS_server_IP>
vpn-idle-timeout 20
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
And finally, you need to define the group name and pre shared keys, these commands bind together the tunnel group policy with a group name and preshared key:
tunnel-group vpn_client_tunnel_group type remote-access
tunnel-group vpn_client_tunnel_group general-attributes
address-pool vpn_client_pool
authentication-server-group vpn_clients
default-group-policy vpn_client_group
tunnel-group vpn_client_tunnel_group ipsec-attributes
pre-shared-key <secret_password>
isakmp keepalive threshold 40 retry 5
On to the PlayBook Configuration:
Choose Settings --> Security --> VPN --> Add New
Profile Name <whatever_you_want>
Server Address <Outside_Internet_Address_Of_Your_ASA>
Gateway Type Cisco ASA
Authentication Type XAUTH-PSK
Group Username vpn_client_tunnel_group
Group Password <secret_password>
Username <username> (your vpn credentials, or the user pass entered into the asa)
Password <Your_Password>
Check Automaitcally Determine IP and DNS
IKE Lifetime (seconds) 28800
IPSec Lifetime (seconds) 3600
NAT Keepalive (seconds) 30
DPD Frequency (seconds) 240
Notes:
You can get outside http and https access while being connected to the VPN by setting up a proxy server on your corporate network. On the Playbook under the VPN configuration screen from above, at the bottom you will see Use HTTP Proxy. check it off, and enter the IP address and port for your proxy server, along with credentials. This allows the browser, app world, and some apps (Not IM+) to go out through the proxy server to the public Internet.
This works for me using the following OS versions:
ASA 5520 OS Ver 8.2(5) with the free Strong Encryption license from Cisco
PlayBook OS 1.0.8.6067
three comments
Thanks for this guide. Adding the acl entries for esp & isakmp as well as enabling nat traversal not only allowed my playbook to connect to the VPN after hours of frustration, but also solved a longstanding issue where I could get a VPN tunnel connected to my ASA from behind my pix 506e @ home, but couldn’t pass traffic to any of the networks behind the ASA. In the past I’d just connect via WWAN instead of WLAN if I needed to VPN. Now I can vpn from behind my pix on both my laptop and playbook :D
I’m guessing it’s a limitation in the playbooks vpn implementation, but if there were a way to utilize a split tunnel rather than having to setup a proxy this would be perfect.
I’ve only owned my playbook for 6 hours, but if I can find an RDP app that’ll connect via MDS and find a bar (or can find & convert an APK) for Citrix’s GoToManage product I’ll be in heaven.
I have a blackberry bold 9000 and i would like to connect to my ASA so that i can use some voip product inside my network. Can this be done? I only see settings for a pix. I am running OS 5 on the BB. The ASA is configured for anyconnect vpn clients. I have the anyconnect on laptops, iphones and andriods and they work file. I just need to get the vpn on the BB. Please let me know if you can help.
MGR
First of all thank you for providing a good documentation, I followed this config however I still can’t connect my paybook to asa 5510 ver 8.2(2)… playbook error Failed to established vpn connection. (Timeout).