Database Users

l2tp VPN on JASJAR

Hi, has anyone successfully used l2tp on their JASJAR (using a certificate, not a shared secret)?. For some reason our certificate does not seem to work on the JASJAR, it works fine with Windows Mobile 2003 SE devices, but on Windows Mobile 5 the l2tp connection just fails directly (complaining about the username/password) without sending one bit of information to the VPN server. Any help is appreciated.
Kim

I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.

If you guys want a good and secure remote desktop program try:
http://www.logmein.com
Change resolution to 640x480 and you have a full desktop pc on yout universe.
Believe me it's the best.

df2jh said:
I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.
Click to expand...
Click to collapse
Yeah! I can verify this, though nowadays I'm using an HTC TyTN, but the same problem still exists. Note though that you don't have to remove the operator phone skin, just disable smart dialing from the phone:
Menu/Smart Dialing Options.../[ ] Enable Smart Dialing
Now the VPN works, but it still might randomly fail IF you have your mailbox open The VPN will work again if you close the Inbox application, so no reboot is needed anymore. I have to look into the Inbox problem a bit more ...
Kim

I have tried this (diabling Smartphone) on my MDA Pro II, but still get the symptoms described above.
The basics work (PPTP, L2TP/IPSec with pre-shared key).
I have my SBS2003 CA authority cert installed in the Trusted certs stash. I assume that I need a device certificate.
I have a Windows Server CA. What type of certificate do I need to install, and how, to get the L2TP/IPSec client to pick up the right stuff.

Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G

gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
No - we now publish a TS session from our servers.

gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
Yes. Assuming that you are using IOS, you will need something like
Code:
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
! Not all of the options are necessary
interface Virtual-Template1
! BVI1 cd be some other interface
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
! Easier to get the IP address from a local pool
peer default ip address dhcp
ppp mtu adaptive
! optional
ppp lcp predictive
! eap only if you authenticate users by certificates
! You will need to ensure that it matches your
! aaa authentication ppp default ...
! You may also need a
! aaa authorization network ...
ppp authentication eap ms-chap-v2
! optional
ppp ipcp header-compression ack
! optional
ppp ipcp predictive
! necessary to get unique DHCP addresses
ppp ipcp username unique
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <yourkey> address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYN-L2TP 100
set transform-set 3DESSHA
!
!
crypto map STATIC-L2TP 100 ipsec-isakmp dynamic DYN-L2TP
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
! whatever is needed for your external interface
!
crypto map STATIC-L2TP
for pre-shared key access.

Not to be stupid but IOS?
How would I set this up?
Being able to access work would be fantastic!!!
Thanks!!!
G

Sorry, but these are configuration commands for your Cisco router.

Ah yes there in lies the rub. It's work's VPN server which I want to access :-(
Been considering seeing if i can set up a VPN tunnel through my home firewall (Netgear) so theoretically I could connect over the net to my firewall and then over my firewall to works VPN but I don't know much about it to be honest

Wizard And Wpa??

Hey together,
I´m searching for an update or something else, so I can use my Wizard in a WPA wireless environment.
Can somebody help me, what I can do???
Thanks a lot
br
Martin

The Wizard has always supported WPA/WPA-PSK Authentication and TKIP Encryption. It is easy to set up but if you use the WPA-Enterprise (NOT WPA-PSK) with 802.1x PEAP or EAP-TLS then it requires Certificates to be installed on your device. Server Certificates can be installed easily by way of a .CAB file but you must enroll for Client Certificates. HTC include a Certificate Enrollment untility the 'Wireless' utility, however this requires a Windows 2000/2003 CA Server and cannot enroll with other CA's.
AKU 3.x added support for WPA2/WPA2-PSK Authentication and AES Encryption, however since a real AKU 3.x update has never been provided for the Wizard there are only hacked versions available (Faria's etc). I can confirm though that Faria's AKU 3.3 ROMs have this support and it does work (I am now only using WPA2 & AES at home and it works well). WPA2 has the same authentication requirements as WPA (i.e. Certificates).
Setting the Wireless AP's up varies on each device type, plus WPA-PSK/WPA2-PSK doesn't require Radius server(s) configuring whilst WPA/WPA2 does.
Andy

HTC TyTNII vpn to a cisco vpn

Hi,
I try to establish a vpn connection to our company-VPN.
VPN Gateway is a cisco device. "Normal" connection via notebook with cisco vpn client works.
On my TyTN i installed ncp client. But i dont know how to configure the cisco settings.
On Cisco VPN Client:
- IP Adress of Gateway
- Group Authentication
- Transport IPSec over UDP
On ncp VPN Client:
- IP Adress of Gateway is easy to find
But i cannot assign the other settings. NCP Client has a lot of settings.
Has anybody success to establish vpn connection via windows Mobile to a cisco Gateway ?

Got it. Not the vpn Client was the problem.
The Blackberry connect SW (disabled!) prevented connection via vpn.
Deinstallation of BB Connect und vpn Client from Bluefire works fine.

What did you use as the VPN client to connect into the cisco gateway?
Do you use a RSA secureID token?
I am tring to get a VPN connection running from my HTC p3600i, WM6.

New VPN Client
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.

WinnieK said:
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.
Click to expand...
Click to collapse
Can you write your settings? I can't configre this

Any ideas on a MPPE PPTP VPN via WM6? I have been trying to get this to work for months and can't. I am operating under the presumption that the VPN client in WM5/6/6.1 doesn't support MPPE and I am therefor up S#!T creek without a 3rd party dialer...
(It is a VPN connection to my work and yes as sorry as this is they still use an encrypted PPTP connection for all of their VPN connections. If they would just move on to something a LITTLE more current L2TP/IPsec I wouldn't be having any of these problems...)
But is there such a thing as a 3rd party PPTP VPN client for WM5/6/6.1 I haven't been able to find one...
TIA~

WinnieK said:
Since a few days i use another VPN Client: www.ncp.de
Works fine. We do not user RSA Token. Only Group Authentication (free string to identify groups) and XAUTH - user/password.
Click to expand...
Click to collapse
kindly can you show where to set the Group Authentication ?!!!

New(ish) Cisco AnyConnect VPN Client
Cisco have released an AnyConnect VPN client for Windows Mobile 5/6 (version 2.3.185). This is specifically targetted towards the ASA 5500 platform as the VPN server, however it should also work with IOS VPN devices (I am told?).
I haven't tried it, however I have seen it demonstrated and it all seemed to work.
Personally I prefer the integrated L2TP/IPSec VPN client and have posted previously on how to get this working with Cisco PIX 6.3, ASA/PIX 7.x and IOS devices.
Andy

AnyConnect VPN client will support only SSL VPN, that avaiable on Cisco ASA and IOS from 12.4(20)T or later.

Can I have two VPN connections to two different places on the same computer?
I work at two different medical facilities. I have a VPN connection to one and I'm trying to set up one for the other. When I'm in the New Connection Wizard and I pick "automatically dial connection", it makes me pick the medical facility that I already had on the computer to "automatically dial" when trying to create this new one.

cool vpn has given the users privilege to surf internet with freedom and security Thanks to VPN

Wireless Help

After reading many threads and websites, I am still unable to get a solution to my issue regarding specific Wi-Fi connections on my XV6800 / HTC Titan.
My college uses a WPA Enterprise/TKIP secured network using PEAP/EAP-MSCHAPv2 authentication. It is also required that the server's certificate is not checked against a CA for validity.
My problem is that I have been unable to connect to the network.
Using the settings (Authentication: WPA, Encryption: TKIP), I can choose PEAP for Network Authentication, but hitting Properties says "Cannot log on to the wireless network. This network requires a personal certificate to positively identify you."
It will never let me connect because of that.
Now, on the other hand, I tried SecureW2 TTLS as my authentication, and in SecureW2, I setup a profile with it setup to not check the server certificate, and EAP/PEAP for Authentication method/type respectively. As well as to prompt for user credentials.
With this method, I get nothing... Also, Properties near PEAP also says the same thing about the requirement of a personal certificate.
For reference, I'm using DCD's 3.2.0 ROM with Windows Mobile 6.1.
If anyone has any experience with this, please let me know ASAP.
Thank you.

Connect to schoolNetwork

Hi, I am from Sweden and this is my first post here at XDA.
I got a HTC p3600, it´s upgraded to WM 6.5 and it works awesome.
Now the problem. The WLAN works great at home and other open networks/ if i got the key.
In my school we got WLAN but i can´t connect to it. I find it in the WLAN-list but there it ends. My friend with an Iphone just select the network and then he can insert his username and password, and woila! He´s in.
When i try to connect the server wants a "Certifikat" in swedish. I have tried to do a "Domain enroll" to get it But it always fail.
I think they use Windows Server 2003.
Does anybody understand my bad language? If you wanna know any more, just tell me.

Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...

FlyBy_1 said:
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
Click to expand...
Click to collapse
Thanks for the answer!
Would it be possible to to install some kind of program from cisco to make it work?

Unfortunately Cisco doesn`t do any winmo clients, they licensed it to other companies. Tried with Root CA yesterday but that didn`t work, maybe we need a valid client cert too. Have to get a personal one from our uni CA the days.

Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.

Thanks for the suggestion. I tried with various clients, none of them worked, securew2 was among them. But maybe it works with fiddyboy.
A page mentioned some older hardware may not cope with mixed wpa modes, maybe P3600 is among them but I really don`t think so...

MAsterokki said:
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Click to expand...
Click to collapse
I am downloading now, will test it tomorrow. Thanks!
Edit: I am not getting it to work. Can someone help me with the settings?

I am sorry, but I don't know what settings to use in your specific case... These settings should be made available by your school or company, most of the time the settings for laptops will give enough information too

which rom do you use to upgrade to windows mobile 6.5

Finally got it to work. We have different WLANs here at our university. I had no luck connecting to our VPN-network so I tried our eduroam WLAN. Eduroam is a roaming network for educational purposes. If You have a login from Your uni/school/whatever You should be able to access the internet from any eduroam network worldwide.
As You said You were asked for a certificate I think Your network relies on the same technologies as ours because I had the same error before. Following explanation:
Our eduroam RADIUS server is certified.
This means our uni gave it a certificate. Our uni was certified by and got a certificate from the DFN (german research net). The DFN was certified by and got a certificate from the german Telekom.
This is called a certificate chain with the DFN as intermediary and Telekom as root certificate authority.
What I had to do is import just the root certificate (from Telekom) to my mobile device by downloading it from our unis webpage, transferring it to the Trinity and just click on it. It confirmed installation and the root ca is listed under the Settings>System>Certificates>Root.
Edit : Normal certs are with *.crt ending. MinMo wants *.cer-files. If You only can get Your hands on *.crt import them into Your PC browser, export from there with DER-encoding and rename *.der to *.cer. That`s it.
Our eduroam RADIUS server authentication is via PEAP.
So I configured the network connection like this:
connects to : internet
authentication : wpa2
data encryption : aes
eap type : PEAP
Connect. When prompted put in Your uni account credentials.
This worked on WinMo 6.1 and 6.5 Without the ValidateServerCert reghack or any other other special program.
WinMo5 failed! Also tried the ValidateServerCert reghack but it`s of no use. Think it`s because WM5 has no wpa2-aes support. If Your RADIUS allows wpa and tkip it may work.
Maybe if this doesn`t work Your server it uses something other than wpa2 or aes. Try different options. Maybe it`s not using PEAP. Ask Your admin but try with a certificate first.
The strange thing is that PEAP was used to avoid handling of certificates; it`s especially there to NOT have to fiddle with them. Anyway, this works here, hope this is the solution for Your location...

you should just buy a protable harddrive or a flash drive and transfer your files onto that and then onto your computer.

Hi, I have same problem, trying to use eduroam on CTU, my Notebook/Laptop WiFi work ok, but I can't connect with TD2 Topaz. I have instaled required certificate, but in options I have no way to set concrete RADIUS server to connect (which is required to be specified in settings on Notebook). Any ideas please? I Also installed securew2, but I can't add Cesnet CA in securew2 options, even it is installed in system (I is present in setings-certificates in WM).

When You have WinMo 6.1 You shouldn`t need securew2 and there is no need to explicitly set RADIUS IP. Have You tried eap-type : PEAP ? What`s the error message if any ?