!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!! Configure Nat-T for Android phones
crypto isakmp nat-traversal
!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport
!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport
!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key <pre-shared-key>
!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>
!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
vpn-group-policy <group-policy-related-to-group>