!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

!! Configure Nat-T for Android phones
crypto isakmp nat-traversal

!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport

!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport

!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec

!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
 address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key <pre-shared-key>

!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>

!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
  vpn-group-policy <group-policy-related-to-group>