flow-export destination <interface-facing-netflow-server> <netflow-server-IP> <netflow-server-port(9998)>
access-list netflow-acl permit ip any any

class-map netflow_class
  match access-list netflow-acl
policy-map global_policy
  class netflow_class
    flow-export event-type <flow-create|flow-denied|flow-teardown|all> destination <netflow-server-IP>

[ # ]

boot system flash:/<new-imagename>
no boot system flash:/<old-imagename>

[ # ]

!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

!! Configure Nat-T for Android phones
crypto isakmp nat-traversal

!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport

!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport

!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec

!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
 address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key <pre-shared-key>

!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>

!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
  vpn-group-policy <group-policy-related-to-group>

[ # ]

  1. Reboot device
  2. At prompt, hit escape to break the boot sequence
  3. 'confreg' !! prompt will start with 'rommon #'
  4. Note your current configuration register (0x1 is the default)
  5. Choose 'Y' to change the configuration
  6. Accept all the defaults EXCEPT 'disable system configuration'. Set this to 'Y'
  7. 'boot'
  8. 'enable' after device has booted !! Just hit enter for the password
  9. 'copy startup-config running-config'
  10. Reset the passwords in 'conf t':

    password <password> enable password <password> username <username> password <password>

  11. 'config-register
  12. 'copy running-config startup-config'

Notes:

  • Must be performed via the console port

Documentation

[ # ]

!! On Primary Firewall
interface <int>        !! configure each interface with standby ip
ip address <ip> <netmask> standby <standby-ip>

interface <failover-int>
description LAN Failover Interface
no shutdown
exit
failover
failover lan unit primary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

!! On Secondary Firewall
failover
failover lan unit secondary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

[ # ]