Hi, has anyone successfully used l2tp on their JASJAR (using a certificate, not a shared secret)?. For some reason our certificate does not seem to work on the JASJAR, it works fine with Windows Mobile 2003 SE devices, but on Windows Mobile 5 the l2tp connection just fails directly (complaining about the username/password) without sending one bit of information to the VPN server. Any help is appreciated.
Kim
I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.
If you guys want a good and secure remote desktop program try:
http://www.logmein.com
Change resolution to 640x480 and you have a full desktop pc on yout universe.
Believe me it's the best.
df2jh said:
I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.
Click to expand...
Click to collapse
Yeah! I can verify this, though nowadays I'm using an HTC TyTN, but the same problem still exists. Note though that you don't have to remove the operator phone skin, just disable smart dialing from the phone:
Menu/Smart Dialing Options.../[ ] Enable Smart Dialing
Now the VPN works, but it still might randomly fail IF you have your mailbox open The VPN will work again if you close the Inbox application, so no reboot is needed anymore. I have to look into the Inbox problem a bit more ...
Kim
I have tried this (diabling Smartphone) on my MDA Pro II, but still get the symptoms described above.
The basics work (PPTP, L2TP/IPSec with pre-shared key).
I have my SBS2003 CA authority cert installed in the Trusted certs stash. I assume that I need a device certificate.
I have a Windows Server CA. What type of certificate do I need to install, and how, to get the L2TP/IPSec client to pick up the right stuff.
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
No - we now publish a TS session from our servers.
gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
Yes. Assuming that you are using IOS, you will need something like
Code:
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
! Not all of the options are necessary
interface Virtual-Template1
! BVI1 cd be some other interface
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
! Easier to get the IP address from a local pool
peer default ip address dhcp
ppp mtu adaptive
! optional
ppp lcp predictive
! eap only if you authenticate users by certificates
! You will need to ensure that it matches your
! aaa authentication ppp default ...
! You may also need a
! aaa authorization network ...
ppp authentication eap ms-chap-v2
! optional
ppp ipcp header-compression ack
! optional
ppp ipcp predictive
! necessary to get unique DHCP addresses
ppp ipcp username unique
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <yourkey> address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYN-L2TP 100
set transform-set 3DESSHA
!
!
crypto map STATIC-L2TP 100 ipsec-isakmp dynamic DYN-L2TP
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
! whatever is needed for your external interface
!
crypto map STATIC-L2TP
for pre-shared key access.
Not to be stupid but IOS?
How would I set this up?
Being able to access work would be fantastic!!!
Thanks!!!
G
Sorry, but these are configuration commands for your Cisco router.
Ah yes there in lies the rub. It's work's VPN server which I want to access :-(
Been considering seeing if i can set up a VPN tunnel through my home firewall (Netgear) so theoretically I could connect over the net to my firewall and then over my firewall to works VPN but I don't know much about it to be honest
Related
HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.
Unfortunately there is no simple answer to your question. AFAIK you cant get a fixed ip on gprs, but if your using the right firewall and the right vpn host you dont need to.
I use and supply windows sbs 2003 servers and vpn into them regularly. I have also used citrix to achieve similar results. Might be a bit difficult to persuade your firms it dept to set up something like that for 1 person though.
PM me if youd like any advice.
BillyB said:
HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.
Click to expand...
Click to collapse
Hello Billy,
You ask a good question, but the answer isn't simple. Most carriers do have two types of APN (Access Point Name) provision for your SIM: "private" APN (which provides a non-routable IP assignment from behind a NAT, for basic browsing and e-mail functionality) and "public" APN (that provides a routable IP assignment, which is the Minimum Requirement for a more sophisticated connection type, such as VPN, etc). However, both of them are assigned by a DHCP (Dynamic Host Configuration Protocol) Server on a GGSN (Gateway GPRS Support Node) of your particular GPRS network operator. In either case, the end result will obviously be a DYNAMIC IP address on your GPRS terminal (be it a laptop PC, a PDA, or phone)
Some carriers do offer what is called a "dedicated APN" provision, which gives the subscriber their own IP range to choose from (almost like a small subnet), but it is only available to corporate giants like Pepsi (for example).
Now, to sum it up, you must have the proper APN provisioned on your Mobile SIM account (which the provider will normally call something like a "VPN data package" in billing terms). Then, you must obviously establish a GPRS session before you can connect your VPN client (but remember that most basic VPN clients work the best). It is pretty sad to say, but Microsoft Windows-embedded VPN client on Win2k/XP Pro so far has performed the best with no quirks whatsoever. It has to be via PPTP...L2TP has also worked for me..otherwise, the fancier (and more secure) the VPN tunneling protocol, the more its likely to fail. Normally all you need for a basic MS WIndows VPN client config is the Server name (or IP address), the user name, and the password.
Hope this helps,
Let me know how it goes,
Alex
PS. PM me if you have further questions.
VPN and TS Its like pulling teeth
hi all this has got to be the most anoying problem ever. i can connect to O2 vpn access point and hence i can connect to my work vpn server. however as soon as i try to open a TS connection to my desktop (through the vpn) the VPN connection is dropped and i never connect. Can anybody tell me why? if i have a vpn connection to my work server why does TS try to make another connection and bomb out the original. Is there a fix or another way of doing this i.e. does a external IP have to be nat'd to my desktop IP on port 3389? all help greatly appreciated. Ian
I am trying to set up a vpn connection and can connect to our firewall but I cannot connect to the network. If I try to pin the network it just times out.
The firewall is configured to allow the device through.
Can abyone help with this??
Thanks
Sorry I'm no expert on VPN or much else.
I use Remote Desktop through a router, firewall enabled.
Took a while to get through the firewall until I had set everything up properly.
You have to enable a virtual server port on the router to allow the traffic in, have you set one up and if so the right port number for VPN. From what I have seen its 1723.
Not much help I know, but seach on the internet for help on setting it up correctly, check your settings and double check.
Hi quest,
let me answer some questions to see things more clearly:
1. Do you use built-in (Microsoft) VPN-Client or 3rd party product
2. If Microsoft, what type of VPN did you set up? L2TP or PPTP?
3. If L2TP, how do you authenticate: Preshared Key or Certificate?
4. How do you know that the device connects to your firewall?
5. How do you know that the device doesn't connect to the network?
6. What exactly is the rule permitting your device passing the firewall?
The answers to your questions are:-
We are using the built in MS VPN client of Win Mobile v5.0 (5.1.1700 build 14352.0.1.0)
I have tried both PPTP and L2PT
When L2TP, I was authenticating with a preshared key
Firewall logs show PPTP negotiation successful, and issues a VPN IP address to the device
It can ping the firewall external interface, but times-out trying to reach an internal address
The VPN session is established, but the firewall logs don't register either deny or allow traffic for each internal ping request, rather the firewall packet error count increments for each failed attempt.
Any help is greatly appreciated.
The answers to your questions are:-
We are using the built in MS VPN client of Win Mobile v5.0 (5.1.1700 build 14352.0.1.0)
I have tried both PPTP and L2PT
When L2TP, I was authenticating with a preshared key
Firewall logs show PPTP negotiation successful, and issues a VPN IP address to the device
It can ping the firewall external interface, but times-out trying to reach an internal address
The VPN session is established, but the firewall logs don't register either deny or allow traffic for each internal ping request, rather the firewall packet error count increments for each failed attempt.
Any help is greatly appreciated.
Hi,
I try to establish a vpn connection to our company-VPN.
VPN Gateway is a cisco device. "Normal" connection via notebook with cisco vpn client works.
On my TyTN i installed ncp client. But i dont know how to configure the cisco settings.
On Cisco VPN Client:
- IP Adress of Gateway
- Group Authentication
- Transport IPSec over UDP
On ncp VPN Client:
- IP Adress of Gateway is easy to find
But i cannot assign the other settings. NCP Client has a lot of settings.
Has anybody success to establish vpn connection via windows Mobile to a cisco Gateway ?
Got it. Not the vpn Client was the problem.
The Blackberry connect SW (disabled!) prevented connection via vpn.
Deinstallation of BB Connect und vpn Client from Bluefire works fine.
What did you use as the VPN client to connect into the cisco gateway?
Do you use a RSA secureID token?
I am tring to get a VPN connection running from my HTC p3600i, WM6.
New VPN Client
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.
WinnieK said:
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.
Click to expand...
Click to collapse
Can you write your settings? I can't configre this
Any ideas on a MPPE PPTP VPN via WM6? I have been trying to get this to work for months and can't. I am operating under the presumption that the VPN client in WM5/6/6.1 doesn't support MPPE and I am therefor up S#!T creek without a 3rd party dialer...
(It is a VPN connection to my work and yes as sorry as this is they still use an encrypted PPTP connection for all of their VPN connections. If they would just move on to something a LITTLE more current L2TP/IPsec I wouldn't be having any of these problems...)
But is there such a thing as a 3rd party PPTP VPN client for WM5/6/6.1 I haven't been able to find one...
TIA~
WinnieK said:
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.
Click to expand...
Click to collapse
kindly can you show where to set the Group Authentication ?!!!
New(ish) Cisco AnyConnect VPN Client
Cisco have released an AnyConnect VPN client for Windows Mobile 5/6 (version 2.3.185). This is specifically targetted towards the ASA 5500 platform as the VPN server, however it should also work with IOS VPN devices (I am told?).
I haven't tried it, however I have seen it demonstrated and it all seemed to work.
Personally I prefer the integrated L2TP/IPSec VPN client and have posted previously on how to get this working with Cisco PIX 6.3, ASA/PIX 7.x and IOS devices.
Andy
AnyConnect VPN client will support only SSL VPN, that avaiable on Cisco ASA and IOS from 12.4(20)T or later.
Can I have two VPN connections to two different places on the same computer?
I work at two different medical facilities. I have a VPN connection to one and I'm trying to set up one for the other. When I'm in the New Connection Wizard and I pick "automatically dial connection", it makes me pick the medical facility that I already had on the computer to "automatically dial" when trying to create this new one.
cool vpn has given the users privilege to surf internet with freedom and security Thanks to VPN
I have tried searching the forums information about the possibility to use WPA2-Enterprise on Windows Mobile. What i have found is that is not currently implemented in WM6. Does anyone have information if it implemented in WM6.1? Are there any 3:rd party applications that can give you access to a WPN2-Enterprise network?
//Awi
WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.
vdot said:
WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.
Click to expand...
Click to collapse
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy
ADB100 said:
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy
Click to expand...
Click to collapse
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks
devil_82 said:
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks
Click to expand...
Click to collapse
All you need on the PDA is the servers public certificate to be in the Root Certificate store, you don't actually need a personal certificate on the PDA (unless you are performing PEAP with user certificates as opposed to PEAP with EAP-MSCHAPv2). To do this you would need to export it from the server or your PC and then import it on your PDA.
There is a post in another thread about disabling the certificate validation with WM5/6 which I haven't tried but looks like it should work and you wouldn't need to import the certificate:
http://forum.xda-developers.com/showthread.php?t=283380
Andy
Hi,
Using a HTC HD2 I am trying to access my home network via WIFI (WPA2/PSK - AES). Some of it works, some of it doesn't and I was hoping some of you would be able to point me in the right direction:
I can connect to intranet pages (for instance utorrent web interface) via IP, but not via hostname.
I cannot connect to network (smb) shares at all, either via IP or hostname.
A program which requires the hostname to work (since I use it over Hamachi VPN as well as locally and don’t want to change the IP based on how I use it) does work over Hamachi and not over WIFI.
I'm quite confused
Any help would be greatly appreciated!
Cheers,
Elco
Sounds like your DNS isn't working. Do you have custom DNS servers configured in the "Name Servers" tab of network card config?
Yhanks for responding!
It should get it from DHCP (though I have tried assigning a static IP and dns, but this gave the same result)
Also, I have another older win mobile device, and with the same setttings it does allow me to access the network shares (by IP and hostname)
I've combed all settings regarding wifi and network, but since they are the same I am guessing it is probably a different at the registry level?
The HTC HD2 does have 2 broadcom wifi adapters mentioned though, a normal one and one with a DHD postfix.
Cheers,
Elco
@Talisman_: same problem here. have you solved it?
Exactly same problem on xperia x2. I just set on manual temporary.
Are you using Hamachi on your phone?
Did you have this problem prior to installing Hamachi?
The reason being is Hamachi installs a network interface which exists whether or not Hamachi is running
You may want to check your Data Connection settings and see if it has applied the "requires a proxy" setting
What are you using as your DNS server though, that is the question.
If it's your broadband router, then chances are it won't be able to serve DNS requests for internal devices (ie computers on your home network).
If that's the case, you'll need a proper DNS server (get an old PC and install Linux) and create a local domain such as home.local, or if you've got a registered domain, you can even set it up the same (domain.com for instance) just tell the DNS server it's the domain master.
It's been yonks since I played around with Linux so I can't tell you how, much easier with Windows Server
Some people advise against using the same public domain name as an internal domain name, but it just means you add A records for any public addressess such as WWW.domain.com or mail.domain.com if it's accessable outside your network as well as inside.
Alternatively, if you're only going to be accessing them via the home network then you could try adding a few hosts to your registry (use the windows calc or similar to convert each IP address number to Hex)
http://windowsmobilepro.blogspot.com/2006/04/etchosts-file-equivalent-in-windows.html
As always, you modify the registry at your own risk.