IPSEC/L2TP to IPCop VPN server? - Tilt, TyTN II, MDA Vario III General

Guys,
I'm trying to get my Kaiser to VPN into our Linux based IP Cop VPN server, using a certificate that has installed fine.
I enter all VPN details, the phone connects its 3G first, then attempts to connect the VPN - on our server side logs we can see the connection attempt, authentication happens and succeeds but then the phone reports a VPN username/password error and disconnects?
We suspect it could be to do with the CHAP/MSCHAP authentication but can't find anywhere on the phone itself to configure advanced VPN settings such as these - has anyone else succeeded with such a setup? or have an idea as to an installable WM6 VPN client that would make this easier?

ashleyhall said:
Guys,
I'm trying to get my Kaiser to VPN into our Linux based IP Cop VPN server, using a certificate that has installed fine.
I enter all VPN details, the phone connects its 3G first, then attempts to connect the VPN - on our server side logs we can see the connection attempt, authentication happens and succeeds but then the phone reports a VPN username/password error and disconnects?
We suspect it could be to do with the CHAP/MSCHAP authentication but can't find anywhere on the phone itself to configure advanced VPN settings such as these - has anyone else succeeded with such a setup? or have an idea as to an installable WM6 VPN client that would make this easier?
Click to expand...
Click to collapse
Please can anyone assist us with this, we're really struggling to find a solution and really need to get these phones up and running! I'd really appreciate someones help!

In 'Start\Settings\Connections\Advanced Network\GPRS', you can find CHAP authentication option

arnoo said:
In 'Start\Settings\Connections\Advanced Network\GPRS', you can find CHAP authentication option
Click to expand...
Click to collapse
Thanks for your reply, but I think these settings are for the GPRS settings itself, not for the specific VPN Chap/MSChap authentication?

I have my Kaiser working with both Cisco IOS routers and PIX Firewalls and the majority of the configuration was on the Cisco kit; the Kaiser was relatively simple.
I installed a Certificate, then added a VPN connection to the 'My Work Network'. I selected IPSec/L2TP, then checked the 'A certificate on this device' radio button, then entered the username & password. There isn't anything else to configure.
Is there a Root certificate installed from the CA that issued the personal certificate to the PDA & the certificate to the VPN Server? What properties does the personal certificate have? (you need to ensure 'Client Authentication' is on there).
Andy

ADB100 said:
I have my Kaiser working with both Cisco IOS routers and PIX Firewalls and the majority of the configuration was on the Cisco kit; the Kaiser was relatively simple.
I installed a Certificate, then added a VPN connection to the 'My Work Network'. I selected IPSec/L2TP, then checked the 'A certificate on this device' radio button, then entered the username & password. There isn't anything else to configure.
Is there a Root certificate installed from the CA that issued the personal certificate to the PDA & the certificate to the VPN Server? What properties does the personal certificate have? (you need to ensure 'Client Authentication' is on there).
Andy
Click to expand...
Click to collapse
Just an update on this - I've tried connecting this morning and now I'm getting something slightly different - a Network Logon prompt, asking for my USername, Password and Domain - the odd thing is that the password that I entered when installin the Certificate has been place in plain text into the Domain field???
The rom I am using doesn't have the Certificates option, I am enquiring about that now so as to reenable it and check that the certificate is installed. Will keep you updated.

Another update! Here are the log files from the IPCop VPN server itself, does this help?
Nov 28 12:14:28 ipcop0 pluto[1114]: "ob4150"[163] 212.183.134.131:7023 #4910059: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=#######, O=########, OU=######CA, CN=firstname_lastname
Nov 28 12:14:28 ipcop0 pluto[1114]: "ob4150"[163] 212.183.134.131:7023 #4910059: crl update is overdue since Jan 08 14:28:18 UTC 2006
Nov 28 12:14:28 ipcop0 pluto[1114]: "ob4150"[163] 212.183.134.131:7023 #4910059: crl update is overdue since Jan 08 14:28:18 UTC 2006
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:7023 #4910059: deleting connection "ob4150" instance with peer 212.183.134.131
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:7023 #4910059: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 28 12:14:28 ipcop0 pluto[1114]: | NAT-T: new mapping 212.183.134.131:7023/8514)
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910059: sent MR3, ISAKMP SA established
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910059: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910063: responding to Quick Mode
Nov 28 12:14:28 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910063: transition from state (null) to state STATE_QUICK_R1
Nov 28 12:14:29 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910063: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 28 12:14:29 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910063: IPsec SA established
Nov 28 12:14:33 ipcop0 pluto[1114]: "ashleyh"[35] 212.183.134.131:8514 #4910059: received Delete SA payload: deleting ISAKMP State #4910059
Nov 28 12:14:33 ipcop0 pluto[1114]: packet from 212.183.134.131:8514: received and ignored informational message
Nov 28 12:14:33 ipcop0 pluto[1114]: packet from 212.183.134.131:8514: Informational Exchange is for an unknown (expired?) SA

Related

openvpn over wifi

It wont connect via the wifi. It doesnt make any sense at all. Does anyone have any ideas? I'm running the dutty april rom. openvpn 2.1 for pocketpc here is my .ovpn config.... What's weird is that this config works fine on my linux pc and my windows laptop both using my wifi connection so I know it's not an issue with my wifi router. Any help would be greatly appreaciated. Additionally openvpn works fine on my mobile if I am using the edge or 3g connection. It just doesnt work on the wi-fi.
client
dev tap
up-delay
ping 15
dev-node "TAP Device 1"
proto udp
remote xxx.xxx.xxx.xxx xxxx
resolv-retry infinite
tls-client
auth-user-pass
ca "\\Program Files\\OpenVPN\\config\\ca.crt"
cert "\\Program Files\\OpenVPN\\config\\me.crt"
key "\\Program Files\\OpenVPN\\config\\me.key"
ns-cert-type server
tls-auth "\\Program Files\\OpenVPN\\config\\ta.key" 1
cipher BF-CBC # Blowfish (default)
comp-lzo
verb 3
########
Logfile from openvpn
#########
Fri Aug 01 15:35:36 2008 OpenVPN 2.1_rc8 Win32-MSVC++ [SSL] [LZO2] built on Jun 28 2008
Fri Aug 01 15:35:36 2008 MANAGEMENT: TCP Socket listening on 127.0.0.1:10000
Fri Aug 01 15:35:36 2008 Need hold release from management interface, waiting...
Fri Aug 01 15:35:36 2008 MANAGEMENT: Client connected from 127.0.0.1:10000
Fri Aug 01 15:36:00 2008 Using Windows Connection Manager with destination 'auto' resolving to provider guid {436EF144-B4FB-4863-A041-8F905A62C572}
Fri Aug 01 15:36:00 2008 Acquisition of Windows Connection Manager provider succeeded...
Fri Aug 01 15:36:00 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 01 15:36:00 2008 Control Channel Authentication: using '\Program Files\OpenVPN\config\ta.key' as a OpenVPN static key file
Fri Aug 01 15:36:00 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 01 15:36:00 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 01 15:36:00 2008 LZO compression initialized
Fri Aug 01 15:36:00 2008 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Aug 01 15:36:00 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Aug 01 15:36:00 2008 Local Options hash (VER=V4): '13a273ba'
Fri Aug 01 15:36:00 2008 Expected Remote Options hash (VER=V4): '360696c5'
Fri Aug 01 15:36:00 2008 Socket Buffers: R=[32768->32768] S=[16384->16384]
Fri Aug 01 15:36:00 2008 UDPv4 link local (bound): [undef]:1194
Fri Aug 01 15:36:00 2008 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Fri Aug 01 15:36:00 2008 MANAGEMENT: >STATE:1217622960,WAIT,,,
Fri Aug 01 15:37:01 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Aug 01 15:37:01 2008 TLS Error: TLS handshake failed
Fri Aug 01 15:37:01 2008 TCP/UDP: Closing socket
sorry i cant help, thought id chime in and say first off there are numerous bugs w/ the wiifi it seems. It really screws w/ my bluetooth for one.
And ive followed every easy to use set of instructions out there, i cannot access intranet thru exchange or any other method using my wiifii. I wonder if you shut everything else on the phone off what would happen? (gprs/medianet etc)
good luck, ill keep an eye here to see if anyone figures anything out.
It looks like nobody else here has gotten it to work either

OpenVPN on the Diamond

Dear all
I was wondering if anybody got OpenVPN to run on the D. I am trying to connect to a server at home via GPRS/3G using a tap device (bridging). I was trying version 2.1.0 of the OpenVPN port from ziggurat29. The Installation of the GUI and the openvpn client work fine. The GUI (ovpncmgr) starts up OK and also seems to start a tap device TAP1. When I try to start a VPN client with a config file that I tested on the desktop before (except for different path settings and settings for the managment interface), it takes some time (get the typical GSM noise in my PC's speaker... so there is traffic over the air) and then a new VPN tab is displayed on the GUI. However the connection does not show up in the list of VPN instances. In the VPN tab I cannot get the status of the connection etc. Also, I cannot get any logging to work (no log file is created). On the server side I am not getting anything at all. No packets reach the server.
I am running out of ideas what could be wrong. Could it be the connection via T-Mobile? I am able to ping the server from the D, so I thought this should not be a problem. I also tried different ports (1194 and 443). Same result.
If anybody has a clue what I need to do, I appreciated any help.
Here is my client config file:
client
proto tcp-client
port 443
remote my.openvpnserv.net 443
ns-cert-type server
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
ca "\\Programme\\OpenVPN\\config\\ca.crt"
cert "\\Programme\\OpenVPN\\config\\client4.crt"
key "\\Programme\\OpenVPN\\config\\client4.key"
log "\\Programme\\OpenVPN\\log\\client4.log"
service openvpn_exit_1
management 127.0.0.1 10000
conmgr "MyTMO" 1
comp-lzo
verb 4
Click to expand...
Click to collapse
After all the tap interface seems still be available and no IP is configured for it. What is really annoying is that I am not even getting a log file
jjb
I'm having exactly the same problem..OpenVPN starts, but it doesn't show any instance...
Hi there.
Do you use OpenVPN client with TF3D active??? I installed it and then I tried to run connection manager. But nothing happend. The manager seems not running. Maybe it's because of the TF3D. Any idea??? Thanks....
Hi,
After many days (and night) trying to make this thing work, I finally managed to make it work.
This is how I setup my server and client:
DSL Box =======> Linksys WRT54G =======> Home PC as server (XP)
Public IP ethernet 192.168.1.1 ethernet 192.168.1.10
Address
Server Script:
proto tcp
port 443
dev tap
dev-node OpenVPN
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.199 255.255.255.0 192.168.1.210 192.168.1.220
push “dhcp-option DNS 192.168.1.1”
keepalive 10 120
comp-lzo
cipher AES-256-CBC
max-clients 10
persist-key
persist-tun
keepalive 10 60
status openvpn-status.log
verb 3
Client script:
client
dev tap
proto tcp
#Here your server's Public address + listening port
remote xxxxxxx.homeip.net 443
nobind
resolv-retry infinite
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
ca "\\ca.crt"
cert "\\htc1.crt"
key "\\htc1.key"
ping 15
ping-restart 120
verb 0
redirect-gateway
route-method exe
route-delay 2
# This is French SFR proxy
http-proxy 195.115.25.129 8080
http-proxy-option AGENT "Vodafone/1.0/HTC_Diamond/1.37.163.4"
On the server I created a bridge between the ethernet connection (192.168.1.10) and the TAP device that I renamed 'OpenVPN'.
I then manually modified its TCP/IP address with the following:
IP address : 192.168.1.199
Netmask : 255.255.255.0
Gateway : 192.168.1.1 (the Linksys router)
Primary DNS Server : 192.168.1.1
Secondary DNS : your provider DNS will do.
On the client (Diamond):
After installing the software, certificates and keys I modified the TAP device giving it manually its IP address:
Start>>Parameters>>Connections>>WiFi>>Network Cards
IP Address : 192.168.1.210
Netmask : 255.255.255.0
Gateway : 192.168.1.1
If you have a router you need to forward port 443 to the bridge address (192.168.1.199).
Thats all folks. Hope it works for you too.
Marsian-CZ said:
Hi there.
Do you use OpenVPN client with TF3D active??? I installed it and then I tried to run connection manager. But nothing happend. The manager seems not running. Maybe it's because of the TF3D. Any idea??? Thanks....
Click to expand...
Click to collapse
Ah... just go to 'Today' in Settings and disable the TF3D... click on the task bar!

Diamond 3G Sync error

Hi all,
I'm having an issue when trying to synchronize two diamonds and a cruise (all of them running wm6.1 FRE) with an Exchange Server 2003 SP2. Each time I try to synchronise through GPRS/3G , i'm getting an error (n° 0x80072EE2, wich means server not available).
Below is my initial situation :
Synchronization is ok using USB on all device. ActiveSync 4.5 is configured to use server "mail.mydomain.com", refering to a different IP address depending on whether synchronization is initiated from outside or inside local network. From outside, a redirection from gandi.net transfers mail.mydomain.com to https://xxx.xxx.xxx.xxx/exchange, "xxx.xxx..." being my exchange server's public IP.
After spending days looking for a workaround, here's what I've tried :
- Disabling WM DNS cache (tried with both DnsCacheEnable and DnsCacheEnabled registry entries) and soft reseting the device, as suggested here : http://forum.soft32.com/pda/Wireless-Attempt-results-Error-0x80072EE2-ftopict76576.html ;
- Unchecking the "use proxy" box in my connection's advanced properties ;
- Placing the OWA redirection (https://xxx.xxx.xxx.xxx/exchange) on a new subdomain : webmail.mydomain.com, in order to have mail.mydomain.com pointing the same public IP address inside and outside the network.
Now I have :
mail.mydomain.com --> public_ip
webmail.mydomain.com --> https://public_ip/exchange
So, theorically, putting my public IP address or mail.mydomain.com inside ActiveSync server's configuration should be exactly the same (except for certificates). Here is my problem : When using directly my IP address, I can see the request going through the firewall, to port 443 of my exchange server (but getting a certificate error, since i'm supposed to be connecting using mail.mydomain.com). When using mail.mydomain.com, I still get the 0x80072EE2 error, and nothing goes through my firewall..........
Looks like there is no DNS lookup during wireless synchronization when using a domain name in activesync configuration...
Thanks for reading, any help would be great.

VPN client w/RSA token support?

Does anyone know of a VPN client that supports RSA token #'s? I've looked all over the place but can't seem to find anything.
Thanks for any help.
Maybe this? (VPN Connections)
http://android.modaco.com/content/h...7/cisco-vpn-client-on-htc-desire-short-howto/
Jack_R1 said:
Maybe this? (VPN Connections)
http://android.modaco.com/content/h...7/cisco-vpn-client-on-htc-desire-short-howto/
Click to expand...
Click to collapse
I'm running Cyanogen 5.0.7, and I read all the post but did not see anywhere that is supports RSA tokens. I might still try it and see if it works. Thanks!
It says "Cisco VPN Client". I know that Cisco VPN supports RSA tokens, having used one for a long time.
Jack_R1 said:
It says "Cisco VPN Client". I know that Cisco VPN supports RSA tokens, having used one for a long time.
Click to expand...
Click to collapse
Do you think it will still work on a N1, I see that the instructions are for the Desire?
http://forum.xda-developers.com/showthread.php?t=630703
Thanks to Jack_R1 I believe I have everything loaded correctly. Now could someone tell me where I can find my IPSec info on my computer? I'm not to familiar with the VPN stuff, but I have been working at this forever. I'm trying to do this on the low from my company since they said that they won't do it for me.
Any help would be great, thanks.
If you're using any proprietary sw to connect, look there in the connection properties to find the server IP. If not - look in Windows connection properties for VPN 'dialing' connection.
Jack_R1 said:
If you're using any proprietary sw to connect, look there in the connection properties to find the server IP. If not - look in Windows connection properties for VPN 'dialing' connection.
Click to expand...
Click to collapse
Our computers use Nortel Contivity, but I can't find the connection properties anywhere. I see the destination ip, and the assigned ip.
The IPSec gateway address should be what?
IPSec ID?
IPSec Secret?
bump for help!
Couldn't find anything and not familiar with Nortel SW..
http://ubuntuforums.org/showthread.php?t=441042
"You will now be asked first for your Ubuntu password, and then the following VPN info: the IPSec gateway address (the hostname of the VPN router you want to connect to), the IPSec ID (aka group ID), IPSec secret (aka group password), username (your VPN username), and password (your password or the value of your SecurID or other token if you have one)."
I guess you need to ask your IT personnel for IPSect ID and secret. IPSec gateway you can find from settings:
http://www.it.ubc.ca/security/VPN/setupdocs/nortelcontivity.html
"Destination" field holds it.
Jack_R1 said:
Couldn't find anything and not familiar with Nortel SW..
http://ubuntuforums.org/showthread.php?t=441042
"You will now be asked first for your Ubuntu password, and then the following VPN info: the IPSec gateway address (the hostname of the VPN router you want to connect to), the IPSec ID (aka group ID), IPSec secret (aka group password), username (your VPN username), and password (your password or the value of your SecurID or other token if you have one)."
I guess you need to ask your IT personnel for IPSect ID and secret. IPSec gateway you can find from settings:
http://www.it.ubc.ca/security/VPN/setupdocs/nortelcontivity.html
"Destination" field holds it.
Click to expand...
Click to collapse
I believe that I have all my settings correct but I'm still getting "failed to connect". I'm going to do a little more searching but if I can't get it I'm giving up, I have spent hours on this. Thanks for all your help Jack_R1.
I've just started trying to make this work also. Lex, did you ever find a solution?
jmglidden said:
I've just started trying to make this work also. Lex, did you ever find a solution?
Click to expand...
Click to collapse
Nope, I tried everything. Jack r1 was very helpful, but I just couldn't get it. I think my company's security is just too high to bypass and my lack of knowledge didn't help.

Unable to connect (Exchange)

I am having tons of problems getting my tab to connect to my exchange server. The message I get everytime (since yesterday afternoon when I got the tab) is "Unable to connect server."
I have tried everything I can think of and so far nothing has worked, this includes, a bunch of different firmwares from JM6 to JMA and JMC, no change whatsoever. I've tried it on wifi and 3G, no change. I've tried 3 different exchange servers 2010 Sp1, 2010 and 2007 Sp3, no change.
I have a nexus one and milestone sitting right next to the tab and I can connect using the same server / user / password information just fine (they are both on 2.2 varients)
In trying to troubleshoot this I have started to take a look at the traffic from the tab. Everything looks like what you would expect to see, https to the exchange server specified, until the tab goes to contact Samsung (I assume it is to send the license activation / IMEI info for the mail app??) at 195.125.115.160. I looks like it sends something via https but never hears back from them and that's when I get the "Unable to connect server" message.
This is just a supposition on my part, I am not expert in any of this. So anyone have any ideas on how to get around this or what else to look for? Maybe I am missing something else much more basic?
Any way to change something in the OS / app somewhere to make it think it's "licensed" already?
Update
I used ADB and LogCat to find the following information that looks like the problem
E/ExchangeActivation( 3999): getDeviceInfo - Can not get country code!
I/ExchangeActivation( 3999): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
D/PROXY1 ( 3999): Proxy Host: null
D/PROXY1 ( 3999): Proxy port: 8080
D/NativeCrypto( 3999): Freeing OpenSSL session
I/ExchangeActivation( 3999): HTTP/1.1 503 Service Unavailable
I/ExchangeActivation( 3999): Device activation response: 503
E/ExchangeActivation( 3999): getLicenseKey - http response status 503
W/ExchangeActivation( 3999): Activation failed
V/EmailServiceProxy( 3999): validate returns 1
D/EAS SyncManager( 3999): !!! EAS SyncManager, onDestroy
Any assistance is greatly appreciated!
Well, it's working fine this morning. I guess Samsung fixed their server????? Hopefully there is some info here for someone else if they experience the same problem.
It is that you received an email with no subject line. If you receive an email with no subject line it shuts the connection down.

Categories

Resources