To set up a Cisco ASA device with a ChromeOS-compatible VPN, use the Cisco Adaptive Security Device Manager (ASDM) tool.
Note: These instructions assume that you're using ASDM version 6.4.
1. Set up VPN on the device
Step 1: Set up your VPN settings
- Open ASDM.
- Go to Wizards VPN Wizards IPsec (IKEv1) Remote Access VPN Wizard.
- Bypass the interface access lists:
- Mark the VPN Tunnel Interface as outside.
- Check the box for Enable inbound IPsec sessions.
- Click Next.
- Choose Microsoft Windows client using L2TP over IPsec and check the box for MS-CHAP-V2.
- Click Next.
- Authenticate the machine:
- To use a certificate, import the certificates now.
- To use a pre-shared key (passphrase), select Pre-Shared Key-PSK and set the PSK.
- Click Next.
- Choose how to authenticate users. (You can assume you're using a local user database, which is the default.)
- Click Next.
- Enter at least one username and password, then click Add.
- Click Next.
- Enter a pool of addresses to use for VPN. If you haven't created a pool for VPN IPs:
- Click New and choose a descriptive pool name like "VPNPool."
- Enter a range and netmask. For example: 192.168.105.1..192.168.105.31, netmask 255.255.255.0.
- Click OK.
- Make sure the VPNPool you just created is selected.
- Click Next.
- Enter the IP addresses of DNS servers and default domain name. (WINS servers aren't needed by ChromeOS.)
- Choose the encryption used for IKE v1. If you're not sure what to choose, leave the defaults selected: 3DES, SHA, and 2.
- Click Next.
- Choose how traffic should be routed:
- Leave "Exempt Networks" empty.
- Set "Interface" as inside.
- Uncheck the box for split tunneling.
- Uncheck the box for Perfect Forwarding Secrecy (PFS).
- Click Next, then click Finish.
- You'll see the various CLI commands. Click Send.
Step 2: Edit crypto map
- At the top of the ASDM interface, click Configuration Site-to-Site VPN Advanced Crypto Maps.
- Double-click the default 65535 crypto map to edit it.
- Next to IKE v1 IPsec Proposal, click Select.
- Select the TRANS_ESP_3DES-SHA line and click Assign.
- Click OK, then click OK again.
- In the area below the list of crypto maps, click Apply.
- In the box of CLI commands, click Send.
2. Test the configuration
Test the connection with ChromeOS
- Sign in to your Chromebook using the account that should have VPN access.
- At the bottom right, select the time.
- Click Settings .
- In the "Network" section, select Add connection.
- Next to "OpenVPN / L2TP," click Add .
- Enter the server hostname, then enter the service name (using any name that you want to see in the list of VPNs).
- In the "Provider type" field, choose L2TP/IPsec + Pre-shared key or L2TP/IPsec + User certificate, depending on whether you used a pre-shared key (passphrase) or certificate earlier.
- If you used a pre-shared key, enter it in the "Pre-shared key" field.
- If you used a certificate, choose a certificate from the "Server CA certificate" drop-down.
- Enter your username and password.
- Click Connect.
- When the lock on the left side of the network icon stops flashing, open a new tab in Chrome .
- Try to open a web page served by a server behind the firewall. You can also open a terminal window and use ping/SSH.
Test the connection with OS X
- Sign in to your OS X computer.
- On your desktop, click the wireless network icon.
- At the bottom of the drop-down, select Open Network Preferences.
- On the bottom left of the box that appears, click the + sign.
- In the box that appears:
- In the "Interface" drop-down, select VPN.
- In the "VPN Type" drop-down, select L2TP over IPsec.
- Click Create.
- Select your newly created VPN from the list.
- Configure your VPN:
- In the "Server Address" field, enter the VPN server's external address.
- Enter your account name (username) that was created when you set up your VPN.
- Click Authentication Settings.
- Enter the password that was created when you created your username.
- Set the Shared Secret as the pre-shared key (passphrase) or certificate you used earlier.
- Leave the "Group Name" field empty.
- Click OK.
- Click Apply, then click Connect.
- If the status shows as "Connected," open a new Chrome tab and try to open a webpage served by a server behind the firewall. You can also open a terminal window and use ping/SSH.
3. Save the configuration
If the configuration works, click Save to store it to your device's flash storage.