Set up VPN on a Cisco ASA device

To set up a Cisco ASA device with a ChromeOS-compatible VPN, use the Cisco Adaptive Security Device Manager (ASDM) tool.

Note: These instructions assume that you're using ASDM version 6.4.

1. Set up VPN on the device

Step 1: Set up your VPN settings
  1. Open ASDM.
  2. Go to Wizards and then VPN Wizards and then IPsec (IKEv1) Remote Access VPN Wizard.
  3. Bypass the interface access lists:
    1. Mark the VPN Tunnel Interface as outside.
    2. Check the box for Enable inbound IPsec sessions.
  4. Click Next.
  5. Choose Microsoft Windows client using L2TP over IPsec and check the box for MS-CHAP-V2.
  6. Click Next.
  7. Authenticate the machine:
    1. To use a certificate, import the certificates now.
    2. To use a pre-shared key (passphrase), select Pre-Shared Key-PSK and set the PSK.
  8. Click Next.
  9. Choose how to authenticate users. (You can assume you're using a local user database, which is the default.)
  10. Click Next.
  11. Enter at least one username and password, then click Add.
  12. Click Next.
  13. Enter a pool of addresses to use for VPN. If you haven't created a pool for VPN IPs:
    1. Click New and choose a descriptive pool name like "VPNPool."
    2. Enter a range and netmask. For example: 192.168.105.1..192.168.105.31, netmask 255.255.255.0.
    3. Click OK.
    4. Make sure the VPNPool you just created is selected.
  14. Click Next.
  15. Enter the IP addresses of DNS servers and default domain name. (WINS servers aren't needed by ChromeOS.)
  16. Choose the encryption used for IKE v1. If you're not sure what to choose, leave the defaults selected: 3DES, SHA, and 2.
  17. Click Next.
  18. Choose how traffic should be routed:
    1. Leave "Exempt Networks" empty.
    2. Set "Interface" as inside.
    3. Uncheck the box for split tunneling.
    4. Uncheck the box for Perfect Forwarding Secrecy (PFS).
  19. Click Next, then click Finish.
  20. You'll see the various CLI commands. Click Send.
Step 2: Edit crypto map
  1. At the top of the ASDM interface, click Configuration and then Site-to-Site VPN and then Advanced and then Crypto Maps.
  2. Double-click the default 65535 crypto map to edit it.
  3. Next to IKE v1 IPsec Proposal, click Select.
  4. Select the TRANS_ESP_3DES-SHA line and click Assign.
  5. Click OK, then click OK again.
  6. In the area below the list of crypto maps, click Apply.
  7. In the box of CLI commands, click Send.

2. Test the configuration

Test the connection with ChromeOS
  1. Sign in to your Chromebook using the account that should have VPN access.
  2. At the bottom right, select the time.
  3. Click Settings .
  4. In the "Network" section, select Add connection
  5. Next to "OpenVPN / L2TP," click Add Add question.
  6. Enter the server hostname, then enter the service name (using any name that you want to see in the list of VPNs).
  7. In the "Provider type" field, choose L2TP/IPsec + Pre-shared key or L2TP/IPsec + User certificate, depending on whether you used a pre-shared key (passphrase) or certificate earlier.
    • If you used a pre-shared key, enter it in the "Pre-shared key" field.
    • If you used a certificate, choose a certificate from the "Server CA certificate" drop-down.
  8. Enter your username and password.
  9. Click Connect.
  10. When the lock on the left side of the network icon stops flashing, open a new tab in Chrome Chrome.
  11. Try to open a web page served by a server behind the firewall. You can also open a terminal window and use ping/SSH.
Test the connection with OS X
  1. Sign in to your OS X computer.
  2. On your desktop, click the wireless network icon.
  3. At the bottom of the drop-down, select Open Network Preferences.
  4. On the bottom left of the box that appears, click the + sign.
  5. In the box that appears:
    1. In the "Interface" drop-down, select VPN.
    2. In the "VPN Type" drop-down, select L2TP over IPsec.
    3. Click Create.
  6. Select your newly created VPN from the list.
  7. Configure your VPN:
    1. In the "Server Address" field, enter the VPN server's external address.
    2. Enter your account name (username) that was created when you set up your VPN.
  8. Click Authentication Settings.
    1. Enter the password that was created when you created your username.
    2. Set the Shared Secret as the pre-shared key (passphrase) or certificate you used earlier.
    3. Leave the "Group Name" field empty.
    4. Click OK.
  9. Click Apply, then click Connect.
  10. If the status shows as "Connected," open a new Chrome tab and try to open a webpage served by a server behind the firewall. You can also open a terminal window and use ping/SSH.

3. Save the configuration

If the configuration works, click Save to store it to your device's flash storage.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Main menu
5444703376160671537
true
Search Help Center
true
true
true
true
true
208
false
false