Related
Has anyone had any success with L2TP/IPSec VPNs and Windows Mobile 5 or 6? I have no problems with getting PPTP to work but have NEVER had any success with L2TP/IPSec. I have valid Client & Server Certificates but I have never been able to get a connection; in fact the HTC Wizard I have never even attempts to make a connection (I have a sniffer on the Ethernet port my Wireless AP is connected to). I have tried using Certificates & Pre-Shared Keys but the results are the same - The Wizard never attempts to connect, with PPTP it works every time.
The Server I am using is a Windows 2003 RRAS server and I have verified with a Windows XP Client that L2TP/IPSec works.
I have asked the question before but have not had any helpful replies. I would be grateful if anyone who has set this up successfully can let me know and maybe give me a run-down of the steps you used. I am not interested in any 3rd party VPN clients, it must be the built-in one.
Thanks
Andy
Hi
Yes I have had the same issue with both the wizard and now hermes tried wm5 and wm6. I think it maybe related to NAT-T translation as am unsure from my reading weather MS supports NAT-T on the mobile end. If data session is being NATed by your provider then this may be the cause. Probably need to check the ip packets comming from the phone to see what it is sending out. Is that what you did or is the sniffer at the other end.
sebjepb said:
Hi
Yes I have had the same issue with both the wizard and now hermes tried wm5 and wm6. I think it maybe related to NAT-T translation as am unsure from my reading weather MS supports NAT-T on the mobile end. If data session is being NATed by your provider then this may be the cause. Probably need to check the ip packets comming from the phone to see what it is sending out. Is that what you did or is the sniffer at the other end.
Click to expand...
Click to collapse
It has nothing to do with NAT traversal. WM5 (and WM6 probably?) does NOT support NAT-T, however I am not attempting to get this working over NAT. As I said I have a put a sniffer on the Ethernet port my Wireless AP is connected to and my Wizard does not transmit anything when configured for L2TP/IPSec (except a DNS lookup for the VPN server name if I enter it's DNS name as opposed to it's IP address). With PPTP it works and I can happily see the packets it transmits on the sniffer.
This is really frustrating as it looks like no one has ever got this to work
I had a HP iPAQ 6365 previously with Windows Mobile 2003 and I managed to get it working on this quite easily
Andy
Andy
I now have this working on both the wizard and the hermes.
I am a bit confused with your last response as ipsec port 4500 is nat-t and is required and is being transmitted by both the wizard and hermes in my case.
My setup maybe somewhat different to yours as I have a windows sbs2003 server running isa and rras. It is sitting behind an adsl modem router connected to the internet. The data connection on my phone is edge network on the wizard and HSDPA on the Hermes. Also have tried this via WiFi as well.
Steps I used
On server side router
On adsl modem router setup forwarding udp ports 500 ipsec, 4500 nat-t and 1701 l2tp and protocol 50 IPsec ESP. I selected l2tp/ipsec from its predefined list but noticed it missed udp 1701 so added this manually.
On Server.
ISA management selected Network Configuration right click and selected Allow vpn connections. This essentially setups the ip filters to allow incomming protocols and then sets up rras for pptp and l2tp ports.
In rras configure a preshared key by right click server/properties/security tick allow custome ipsec policy... and added preshared key.
On mobile
settings/connections
My Work Network
Edit my vpn servers and added new IPsec/L2TP connection.
Works a treat hope this helps
I did notice on another forum something about disabling the phone skin but I did not have to do this.
Regards
Stephen
sebjepb said:
Andy
I now have this working on both the wizard and the hermes.
I am a bit confused with your last response as ipsec port 4500 is nat-t and is required and is being transmitted by both the wizard and hermes in my case.
My setup maybe somewhat different to yours as I have a windows sbs2003 server running isa and rras. It is sitting behind an adsl modem router connected to the internet. The data connection on my phone is edge network on the wizard and HSDPA on the Hermes. Also have tried this via WiFi as well.
Steps I used
On server side router
On adsl modem router setup forwarding udp ports 500 ipsec, 4500 nat-t and 1701 l2tp and protocol 50 IPsec ESP. I selected l2tp/ipsec from its predefined list but noticed it missed udp 1701 so added this manually.
On Server.
ISA management selected Network Configuration right click and selected Allow vpn connections. This essentially setups the ip filters to allow incomming protocols and then sets up rras for pptp and l2tp ports.
In rras configure a preshared key by right click server/properties/security tick allow custome ipsec policy... and added preshared key.
On mobile
settings/connections
My Work Network
Edit my vpn servers and added new IPsec/L2TP connection.
Works a treat hope this helps
I did notice on another forum something about disabling the phone skin but I did not have to do this.
Regards
Stephen
Click to expand...
Click to collapse
What ROM are you running on the Wizard? I am currently running a WM6 ROM but I previously used the official QTEK update (AKU 2.3 I think?) and then various WM5 AKU 3.3 ROMs. I have tested this with all of them and none have worked. If I could just see it attempt to connect I would be happy The fact is it doesn't transmit anything at all and all I see is the dialogue box on the Wizard saying 'Cannot Connect'....
With regards to NAT-T I read that the VPN Client in Windows Mobile 5 was not capable of this, I could be wrong however?
Andy
Sorry didn't have signature updated I'm running WM6 MBE on the wizard and WM6 Black on the Hermes
Ok I am still confused can you tell me exactly how you are connecting to your work network. Wifi or gprs.
Can you check also.
Under settings/connections/advanced/select networks make sure you have a separate ie different connections for the internet and private network. The Intenet settings will be your service provider grps settings.
For the private network mine is set as My Work Network. Edit this and make sure sure you do not have any modem connection listed ie we want to make sure it goes out over our existing connection and does not try to make a new connection. Make sure the vpn tab has your vpn settings as required they must be listed here and not under the Internet connection.
If you are using WiFi you must make sure the network setup is Connects to: The Internet and not set to Work. If it is work the VPN will not connect. You can not change this on the fly need to disconnect and setup again.
PM Me When you get to work given time diff I should be home. Might be able to test connection to my server at home then can check logs etc
Also use Task manger v2.7 to view netsats on phone to confirm udp ports and ip routes etc. It will show you if the phone is indeed sending should see upd ports 500 4500 and 1701 being used.
Stephen
sebjepb said:
Sorry didn't have signature updated I'm running WM6 MBE on the wizard and WM6 Black on the Hermes
Ok I am still confused can you tell me exactly how you are connecting to your work network. Wifi or gprs.
Can you check also.
Under settings/connections/advanced/select networks make sure you have a separate ie different connections for the internet and private network. The Intenet settings will be your service provider grps settings.
For the private network mine is set as My Work Network. Edit this and make sure sure you do not have any modem connection listed ie we want to make sure it goes out over our existing connection and does not try to make a new connection. Make sure the vpn tab has your vpn settings as required they must be listed here and not under the Internet connection.
If you are using WiFi you must make sure the network setup is Connects to: The Internet and not set to Work. If it is work the VPN will not connect. You can not change this on the fly need to disconnect and setup again.
PM Me When you get to work given time diff I should be home. Might be able to test connection to my server at home then can check logs etc
Also use Task manger v2.7 to view netsats on phone to confirm udp ports and ip routes etc. It will show you if the phone is indeed sending should see upd ports 500 4500 and 1701 being used.
Stephen
Click to expand...
Click to collapse
I am using WiFi, this is all in a test environment so I have full control over everything. Under Connections I have 'My ISP' and 'My Work Network' listed. 'My ISP' has a modem entry, 'My Work Network' has no modem but has a VPN listed with the IP Address of the VPN server and set to L2TP/IPSec using a certificate on the device (I have tried with pre-shared key also). The WiFi entry is configured as 'Connects to The Internet'.
I enable the WiFi and verify I have connectivity, I then go to Connections, click on My Work Network, 'Manage existing connections' select the VPN tab, hold down the stylus on the entry and click connect and I almost immediately get the dialogue box saying 'cannot connect'. If I edit the VPN entry so it is PPTP it works every time. As I said I have a sniffer on so I can see what the Wizard transmits and it when set to L2TP/IPSec it doesnt transmit anything whatsoever, with PPTP I can capture the whole conversation.
Thanks for any help you can give me.
Andy
Ok I have now also tried using certificates and your right it does not seem to sending any info at all. It might ahve something to do with checking the certificate store first I ahve had issues before with Cisco vpn and certificates you have to get the nameing and certification justs right before it even starts the connection.
So first thing lets try pre shared keys as I have got that working. I will PM you my server details if you wish to try that first.
Stephen
sebjepb said:
Ok I have now also tried using certificates and your right it does not seem to sending any info at all. It might ahve something to do with checking the certificate store first I ahve had issues before with Cisco vpn and certificates you have to get the nameing and certification justs right before it even starts the connection.
So first thing lets try pre shared keys as I have got that working. I will PM you my server details if you wish to try that first.
Stephen
Click to expand...
Click to collapse
I have just re-tested this and using a pre-shared key - same result
There is a brief flash of 'connecting' when you click connect but then the 'Cannot Connect' dialogue box appears, nothing gets transmitted. I have tried entering different IP addresses (public, private etc) just to see if it will transmit anything - it doesn't regardless of the IP address I enter.....
Andy
Andy
check your pm
Are you sure the wireless ap is actually passing the ipsec/l2tp traffic.
Working, well sort of.....
After a lot of messing around I now have this working, at least partially........
Following a soft-reset I can connect to a Wireless network OK (either a new one or one that is pre-configured), I can then connect the VPN using L2TP/IPSec. I can also manually disconnect the VPN and re-connect without any issues. However, when the wireless is disconnected (i.e. turned off from CommManager) and then re-connected the VPN will never work again, unless the Wizard is soft-reset.
Does anyone know what is likely to be causing this? some application in memory or a registry 'state' entry
Does anyone else see this behaviour?
Andy
I had exactly this with L2TP/IPSec on the MDA Vario II, but the same settings work as they should on my Athena.
ADB100 said:
After a lot of messing around I now have this working, at least partially........
Following a soft-reset I can connect to a Wireless network OK (either a new one or one that is pre-configured), I can then connect the VPN using L2TP/IPSec. I can also manually disconnect the VPN and re-connect without any issues. However, when the wireless is disconnected (i.e. turned off from CommManager) and then re-connected the VPN will never work again, unless the Wizard is soft-reset.
Does anyone know what is likely to be causing this? some application in memory or a registry 'state' entry
Does anyone else see this behaviour?
Andy
Click to expand...
Click to collapse
HI!
How can you DISCONNECT?? Do you get a "Disconnect" button or menu item somewhere??
How do you know you are connected to VPN?
Thank you,
Dmitry.
A bit late but...
I have a possible solution to the fact it doesn't send ANY traffic on a connect attempt - on my XDA mini S (HTC Wizard) it requires me to put something in the 'domain' field on the username/pwd screen before it will start the IPSec negotiation....
Now I just have to get it o complete the process with the sonicwall...
David
Revisiting this
I can't get PPTP going on my HD2. Thoughts?
bumping this message
I have tried all the usual vpn software (for 3g connectivity) the only third party software that connects is the ncp software, but I get stuck because it wont accept a challenge response grid.
Symantic - won't auth
Green something - doesn't connect
MS VPN - doesn't connect
I have been able to connect in the past with an iPhone, but without a java i can't connect to most motorola hardware devices at work so it's useless. I'm testing a G1 on 1.6 now and it fails to connect also. Going to try openvpn today sometime. MY friend has his Eris working, so I know droid OS works.
I work for a large company and switching vpn hardware is out of the question, so if anyone has a 3g resolution for winmo, I won't have to trade my HD2.
Hi,
L2TR VPN with the Windows Mobile is working !!
The trick with L2TR VPN on WM is to use: a IP address (and NOT a hostname)
Strange, because using a hostname with PPTP VPN on the Windows Mobile it works.
With the trick L2TR works perfectly.
Chris
Hello. This is my first foray into VPN on Win Mo. I can establish a PPTP connection between my Imagio (stock Win Mo 6.5 R1) and my SBS 2008 server. I can ping the server and can browse the company web page. But I am having no luck accessing file shares. I have Schaps Network Plugin installed, but it doesn't see/can't access the shares. Will switching to IpSec VPN work? If so, any guidance on how to set it up on SBS 2008.
Anyone get these two to play nice together?
Details:
Cisco PIX 501e at the office
WM6 3g phone (HTC TyTn II)
vista/xp laptop (working properly on either would be great right now )
VPN setup on the pix is, i believe, fine. I could be wrong tho, i set it up by trial and error + reading the manual having never even touched a cisco device before
It works tho and has worked flawlessly for months now with Cisco VPN Client on XP or Vista machines.
Old phone was WM5 and used the clunky and annoying modem emulator to enable a laptop to use it to connect to intarwebs in the middle of nowhere, this was great and after faffing about getting it setup worked fine (required you to be logged in as administrator on vista tho :\ and not just a user account with admin privileges, actually administrator. Annoying.)
New phone is WM6 and uses internet sharing to connect with a laptop, this is a much better solution with no faffing about in vista and XP
Problem: Cisco VPN client connects to the pix through Internet Sharing on the phone just fine, however no traffic gets through.
Cannot ping, web browse, dns, rdc or anything to the network at work. Tried with Cisco VPN client v4.6.00.0049 and v5.0.01.0600 on XP and v5.0.00.0340 on Vista, none work.
This sucks
Now, i know its not a problem with the laptop or the vpn software on the laptop as these work fine when connected over ethernet or wifi.
Its not a problem with the phone's 3g connection, i installed a trial of bluefire vpn client onto it and that connects to the vpn and works just fine when the phone is in standalone mode.
However for the life of me i cannot get the two bloody things to work together.
Plz halp
Hi,
Often times, the inability to ping a local host (computers or other connected devices e.g router, hardware firewall, printer, PPC, etc) or hosts, is due to the firewall not allowing traffic through the router. It can also be that the hosts are incorrectly configured to be on different subnets, even though they are local, as in your own case.
Proceed as follows to troubleshoot:
a). Ping the router
Note that the idea is to see if we can establish communication with the router or hardware firewall such as the Pix.
At command prompt (c:\>) type:
ping 192.168.0.1
(each router manufacturer uses a different default internal IP address for its router) - the one above is for a Netgear or D-Link router - for a Cisco router, you would need to know the Cisco IOS command - see your router manual for this.
b). ipconfig /all
Note: there is a space before the forwardslash.
When it returns the parameters, check to see that the IP addresses are all on the same subnet.
This is crucially important for you to take good note. If you are not able to ping a local host or gateway, it's most likely due to this.
c). Ping the Pix Firewall (using its IP address)
d). Ping a remote IP address, e.g. your ISP's gateway or DNS server
e). Is there traffic? If it returns successfully, then ping the other hosts, including the VPN client.
Pix Firewall
Check to see that the Access Control List is configured correctly by ensuring that the IP addresses of the connected hosts have been entered, with the relevant access rights.
Router
Log on to the router. Whilst there:
Ensure that the hosts (computers, etc) are all on the SAME subnet. If they are on different subnets, you must correct the IP addresses to reflect that they are on the same subnet.
Note: If you do really want them to be on different subnets, then you need to use a default gateway.
Hope this helps.
kiwi992.
Hi,
I am trying unsuccessfully to connect to a PPTP VPN using the VPN client built into my new HTC TyTN II.
Wifi - I can connect using a WinXP SP2 laptop using wifi through my home linksys wireless router (which has PPTP passthrough enabled) using the standard Win XP vpn client. When I try with my TyTN II, I can browse ok but if I set up a VPN connection I get "VPN server problems. Verify your username and password, etc"
GPRS - If I try to connect over GPRS, I connect to Orange GPRS but when it tries to connect to the IP address of my VPN server, I get the same VPN server problem error message. (As a side issue, I asked Orange to enable my account for vpn which they did, sent a SIM update and told me to change my apn to 'internetvpn' instead of 'orangeinternet')
As I can connect through my wifi connected laptop, it seems to point to my WM6 vpn client but my forum searches suggest that the WM6 client works ok. Oh, and yes, I have checked that I am using the correct vpn username and password!
Any thoughts greatly appreciated - the ability to maintain some linux servers was my main reason for getting this phone!
_______________________________________________________
Phone - HTC TyTN from Orange
Windows Mobile 6 Professional
CE OS 5.2.1620 (Build 18125.0.4.2)
Processor QUALCOMM MSM7200-400MHz
Memory 101.63MB
Setings Device Information Version
Operator version 24.181.1.612
ROM Version 1.81.61.2.WWE
ROM Date 09/20/07
Radio version 1.27.14.32
Protocol version 22.45.88.07H
Bump!!! Same problem here. I have all the proper ports open on my router and still no luck.
I've been trying to resolve this with the people that manage my vpn server which is my case is a Watchguard firewall - apparantly Watchguard isn't compatable with PPTP on WM6 and they have suggested using IPSec and have provided me with a client (not that I've got that working yet either!)
I suggest you contact the vendor of your vpn server and ask them whether they are compatable and how a WM6 client should be configured. Post anything you find out here for the benefit of others.
WM6 don't connect to VPN over GPRS/ WiFi
Friends...
I have the same problem... the VPN server is Windows Server 2003... My PDA has WM6 (with in-build VPN client)... then VPN PPTP would work OK... but What is the wrong??
Regards...
I also could not connect on vpn over GPRS and got error message, but after I tested all installed programs I have found out that my SPB GPRS Monitor was the reason for the errors. So I killed it.
Now VPN over GPRS connects and looking into register I see that I am really connected i.e. I got DNS server IP, I got name of the local network and dynamic IP for my HTC, but nothing works. As I have found out from server guys they see me but my dynamic IP is not logged in server DNS, so no program sees me and I can not work.
Can somebody help?
Same
I have a similar problem but the difference is that i don't even receive an error message. When i click connect NOTHING happens!! The wifi i am using is an open network but I must connect to vpn to connect to the internet.
Please help as i really need to get this working...
I have been trying to iron this out with IT at my office as well. I have been trying to get WM6.1 VPN working for nearly a year.
I have a TyTnII and my IT office just bought some kind of WM6.1 Motorola/Sprint Smartphone as well which they actually asked me about setting up for them.
The problem what I am experiencing is that I CAN connect to the VPN server (I use one of the TaskMan progs that has ipconfig built it, and I am getting an appropriate IP from the VPN server). BUT I can't browse ANY intranet sites via PIE or Opera Mobile 9.5. Whenever I try to browse to an intranet site I just get nothing, browser does nothing for ~10min then gives timeout error.
I have heard that this has to do with an inbuilt error in the PPTP module of the VPN client that incorrectly makes VPN server requests using the IP address assigned by the GPRS/EDGE/3G/etc. connection rather than the IP address assigned by the VPN connection, obviously will cause problems!
Anyway, we are investigating 3rd part VPN clients...
Only IPSEC works
I also made many tries to get vpn working over BT PAN profile.
The only configuration which worked for my was IPSEC with the Safenet SoftRemote-LT Client on PC.
With the windows native pptp based vpn does not work .
I got the error code 721 what means that the GRE protocol (frame type 47 on port 1721) does not pass through. This seems to be the the real problem of the packet filtering components of the WM device. The problem is not related to bluetooth or PAN Driver, because it behaves in the same way if you try to do it over USB port. No way.
You guys might want to check out my post about getting my PPTP VPN working and actually syncing ActiveSync on a fixed schedule regularly over VPN.
http://forum.xda-developers.com/showthread.php?t=428878
Getting what you want to work over VPN requires work URL Exceptions so that the traffice is properly routed.
nkitson said:
I've been trying to resolve this with the people that manage my vpn server which is my case is a Watchguard firewall - apparantly Watchguard isn't compatable with PPTP on WM6 and they have suggested using IPSec and have provided me with a client (not that I've got that working yet either!)
I suggest you contact the vendor of your vpn server and ask them whether they are compatable and how a WM6 client should be configured. Post anything you find out here for the benefit of others.
Click to expand...
Click to collapse
Watchguard does support PPTP, your IT guys just need to configure it. As for IPSec which would be awesome because there is an app call Greenbow that will connect you over 3G doesn't work with Watchguard. You can only connect using their own client for it which needs a license and isn't support on Windows Mobile. They got a hate email from me for that crap.
I'm trying to connect my phone (Samsung SCH-i760) to my co's Cisco VPN concentrators (all IPSEC) via the phone's wifi.
I've tried Bluefire and AnthaVPN and they make my wifi connection disappear. The wifi doesn't re-appear until I remove the vpn software.
I've also tried the NCP's client and when the software is installed the phone won't turn back on after it's turned off after some period of inactivity. The only way to get the phone back on is to remove and reinstall the battery.
Does anybody know of a client that works?
Thanks!
gm2racer said:
I'm trying to connect my phone (Samsung SCH-i760) to my co's Cisco VPN concentrators (all IPSEC) via the phone's wifi.
I've tried Bluefire and AnthaVPN and they make my wifi connection disappear. The wifi doesn't re-appear until I remove the vpn software.
I've also tried the NCP's client and when the software is installed the phone won't turn back on after it's turned off after some period of inactivity. The only way to get the phone back on is to remove and reinstall the battery.
Does anybody know of a client that works?
Thanks!
Click to expand...
Click to collapse
There is a built-in L2TP/IPSec VPN client in Windows Mobile......
I use this to connect to both Cisco PIX/ASA Firewalls as well as Cisco routers. Have a search as I think I even posted some configurations as well.
Andy
ADB100 said:
There is a built-in L2TP/IPSec VPN client in Windows Mobile......
I use this to connect to both Cisco PIX/ASA Firewalls as well as Cisco routers. Have a search as I think I even posted some configurations as well.
Andy
Click to expand...
Click to collapse
There's no facility in the built-in VPN client to pass groupname and grouppwd, so unfortunately it doesn't work with my co's VPN infrastructure.
Thanks!
gm2racer said:
There's no facility in the built-in VPN client to pass groupname and grouppwd, so unfortunately it doesn't work with my co's VPN infrastructure.
Thanks!
Click to expand...
Click to collapse
You can specify the group as part of the username and the VPN device should interpret it (assuming it has been configured to do so?), however I don't think there is a way to send a separate group password.
Code:
[email protected]!group-vpn
or
[email protected]#group-vpn
If you are using strong encryption with good PSK's or Certificates then the group password doesn't really give you that much (IMO). I prefer to keep things simple for users so there is less for them to break. The built-in VPN client in Windows is pretty simply (same as the dial-up) and can be easily packaged using the Windows CMAK tools.
Cisco has recently released the AnyConnect VPN client for Windows Mobile. it might be worth having a look at this.
Andy
Andy, unfortunately it's my co's VPN that I'm trying to connect into, and they mandate groupname and grouppwd, so I guess I'm outta luck with the built-in VPN client...
Regarding the Cisco AnyConnect VPN client, I thought it only did SSL VPN and didn't have any facility to do IPSec VPN.
Weird, I have been using Bluefire v2.7.5.706 for about a year and a half with out a problem. I connect to my company ASA5000 IPSEC VPN client without a problem. Of course, its not over WiFi but over the 3G network. But even with the software installed, I have not had WiFi disappear on me. Did you try establishing a wifi connection first, then connecting through Bluefire?
There is also this VPN Mobile software (http://www.thegreenbow.com/mobile.html) for mobile devices.
Give it a try and tell us what want you think. You can try it for 30 days free of license.
Here is the software download page for VPN Mobile.
Same here for VPN Client software for laptop.
Greenbow team.
there is many post about VPN
it seems there is something wrong in VPN software.. Also PPTP or L2TP.
I use a MacOSX server with VPN server enabled.
I can connect without any problem with any laptop.
But ... with my 2.2 android (Motorola Defy)
L2TP don't find the server
PPTP disconnect immediatly after the IP (from VPN) is affected.
The is some post on the web suggesting there is an encryption problem.
does anyone see this problem ?
if yes what to do ?
Problem is same with wifi or 3G connection