Database Users

VPN with PPTP and GPRS

I have been trying to establish a VPN connection with my xda over gprs to my office computer (PPTP) but I am not sure I have made the appropriate settings. There is no place to type in my username and password (except for the gprs connection).
Can anyone guide me on how to ensure a proper connection?
Also, I am not sure what the VPN connection will mean in terms of pocket pc functionality. Will it mean that I can access my office e-mail which would otherwise require a direct dial in? Will I be able to synchronize with my office outlook?
I would greatly appreciate your help. Thanks, apap

VPN
hi,
suggest ringing 0845 6006886 (O2 GPRS Helpline).
They have a PDF Doc that may help. They will e-mail it to you.
Doc Title VPN_Access_over_mobile_web.
Good luck
Ric.

Thanks for your help Ric.
I have followed the settings as discussed in the pdf file but I have not had any success. I will call the helpline.

private networks
Please note that if you are using O2 and your office have a private network range in the 10.0.0.0 range, you will have problems due to the subnet mask used, and the fact that O2 use NAT.
I have written a utility which monitors the routing table, and overcomes this problem by narrowing the net mask. Anyone who is interested, contact me for this software: [email protected]
I tried to 'give' this software to O2, but they didn't seem to care. They didn't really seem to understand the problem.

Re: private networks
martinlong1978 said:
[...]
I have written a utility which monitors the routing table, and overcomes this problem by narrowing the net mask. Anyone who is interested, contact me for this software: [email protected]
I tried to 'give' this software to O2, but they didn't seem to care. They didn't really seem to understand the problem.
Click to expand...
Click to collapse
How about this: we'll dedicate a page to it on this site, and possibly even include a small tutorial that deals with networking stuff in general. If everyone in the know contributes a bit of their knowledge, I'll lay it all out, add the screenshots and put it on a page.

Re: private networks
Thanks.
Here's the gist of it.
Often, corporate networks use addresses in the range 10.0.0.0 - 10.255.255.255 in order to create private networks. This address range is designated for this purpose, and is the only class A range designated as such.
O2's GPRS network uses NAT in order to cut down the number of IP addresses they require. In doing so, they also use the private address range.
It is not recommended practice to use NAT for subscription networks, as they do not provide a 'complete' internet service. Certain peer-to-peer services will not work through NAT, as they require both devices to be publicly addressable - this however, is not the cause of this issue.
Lets look at the process of connecting to a VPN.
1) a 'dial up' connection is made to the GPRS service. When I say 'dial up' I do not mean a circut switched call is made (before you techies correct me), but still, some kind of PPP connection is made.
2) IP addresses are negotiated. An address is allocated to the device in the 10.0.0.0 range. During this allocation proceedure no subnet mask is specified, and the device assumes 255.0.0.0 as for a class A network.
3) The device adds a route to 10.0.0.0 mask 255.0.0.0 on the GPRS virtual adapter.
The connection to the VPN can now be made
1) a 'dial up' connection is made to the VPN service.
2) IP addresses are negotiated. An address is allocated to the device in the 10.0.0.0 range (depending on corporate config). During this allocation proceedure no subnet mask is specified, and the device assumes 255.0.0.0 as for a class A network.
3) The device adds a route to 10.0.0.0 mask 255.0.0.0 on the VPNvirtual adapter.
All seems fine - no? Try connecting to any host on the private network. Mail server, terminal server, web server. I bet you it doesn't work. That's because two routes have been allocated on the 10.0.0.0 mask 255.0.0.0 network. When you try and connect to your mail server (eg 10.0.0.6) the packets go straight out through the first matching route - the GPRS, and never even see the VPN route.
My software tool watches the route table (I use a function in the IPhlpapi.dll for those interested), and waits for a change. When it spots a change, it re-writes the routing table, narrowing the routing entries to 24 bit masks (it works out the missing octets from the gateway address).
So an example would be:
10.0.0.0 mask 255.0.0.0 gw 10.34.23.254 if GPRS
10.0.0.0 mask 255.0.0.0 gw 10.0.0.1 if VPN
becomes
10.34.23.0 mask 255.255.255.0 gw 10.34.23.254 if GPRS
10.0.0.0 mask 255.255.255.0 gw 10.0.0.1 if VPN
This allows you to access stuff in the 10.0.0.0 network.
Drawback:
You won't be able to peer to peer with other O2 XDA's who aren't on the same class C netowork - big deal, does anyone do this?
You are limited to contacting hosts on the same class C within your private network. I am working on broadening this range.
Files:
There is 1 file required - the executable, which should be placed in the startup folder. Let me know where to send this, and it can be made public.

util.
To keep you updated. I've just updated this slightly. It no longer requires MFC. It is 1 x 5.5 K executable.
Regards
Martin

Please note, not everyone will need this update. Only if your office uses a 10.0.0.0 subnet.
Thanks for all the enquiries.

Can I share the files - VPN_Access_over_mobile_web.pdf?
Hi ,
Can I share the files - VPN_Access_over_mobile_web.pdf? I am also testing the VPN conection over XDA GRPS, but if it is possible , pls mail me that PDF files. [email protected]
Thx
Li

CAn anyone please email me the VPN_Access_over_mobile_web.pdf file? Please Please Please!
Thanks
Ian
[email protected]

Don't have this file to hand, but if it is the one I think (provided by o2 UK) it is on their site somewhere.
VPN to Win2k server (with fixed ip, and internal ip of 192.168.blah-de-blah) worked first time following those instructions, as did Terminal Server used to remotely control it.
HTH
imordey said:
CAn anyone please email me the VPN_Access_over_mobile_web.pdf file? Please Please Please!
Thanks
Ian
[email protected]
Click to expand...
Click to collapse

VPN Access
For goodness sake.
http://www.o2.co.uk/mobileweb
Select the VPN Access tab!
Download the PDF from there.
A little surfing goes a long way

Re: util.
Hi Martin, I tried to mail you for the VPN fix but it bounced, any chance you could email it to me or attach it here? paul_w at cix dot co dot uk.
Thanks,
Paul
--
To: [email protected]
Subject: XDAII VPN fix
Sent: Sat, 28 Feb 2004 13:15:42 -0000
did not reach the following recipient(s):
[email protected] on Sat, 28 Feb 2004 13:30:55 -0000
The recipient name is not recognized
The MTS-ID of the original message is: c=us;a= ;p=trace computers
;l=DATA1504022813301W4WRN23
MSEXCH:IMS:Trace Computers PLCatawiseATA15 0 (000C05A6) Unknown
Recipient
martinlong1978 said:
To keep you updated. I've just updated this slightly. It no longer requires MFC. It is 1 x 5.5 K executable.
Regards
Martin
Click to expand...
Click to collapse

Does anyone have this file? Or any contact details for martinlong?
Thanks,
Paul

What VPN does for me.
Me and my significant other have 3 servers in our closet and host exchange (email), Active Directory, and outlook mobile access as well as things like ftp, web, and most importantly VPN. All my email that comes to us goes into my Outlook box on the exchange server then activesync sends a text message to my tmo pda phone and activesync begins downloading my mail and synchronizes my contacts and calendar. Once that is complete, a VPN connection is started up and the pda syncs with my desktop computer, so programs like vindigo and files like my documents are up to date. I even have the option of installing over the air or browsing my files on my computer at home.

Hey Sytris, I'm setup the same way pretty much but I've tried with 2 different devices and I can't get it to sync with the local computer. The active synce with exchange works fine and the vpn connects just fine. The active Sync app on the server then gets the connection from the PPC but shows connected as guest instead of my device and the active sync on the PPC still shows connecting but never goes anywhere. Did you run into that when setting yours up? Any suggestions? Thanks - Jim

About PPTP connection via PC I found nice tutorial step by step here at supervpn.net/blog
About mobile, you should try to contact some VPN provider, they have nice live chat support so they can answer you probably on all your questions.

For setup your vpn on your phone you can find solution on worldvpn.net

GPRS and Static IP with VPN

HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.

Unfortunately there is no simple answer to your question. AFAIK you cant get a fixed ip on gprs, but if your using the right firewall and the right vpn host you dont need to.
I use and supply windows sbs 2003 servers and vpn into them regularly. I have also used citrix to achieve similar results. Might be a bit difficult to persuade your firms it dept to set up something like that for 1 person though.
PM me if youd like any advice.

BillyB said:
HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.
Click to expand...
Click to collapse
Hello Billy,
You ask a good question, but the answer isn't simple. Most carriers do have two types of APN (Access Point Name) provision for your SIM: "private" APN (which provides a non-routable IP assignment from behind a NAT, for basic browsing and e-mail functionality) and "public" APN (that provides a routable IP assignment, which is the Minimum Requirement for a more sophisticated connection type, such as VPN, etc). However, both of them are assigned by a DHCP (Dynamic Host Configuration Protocol) Server on a GGSN (Gateway GPRS Support Node) of your particular GPRS network operator. In either case, the end result will obviously be a DYNAMIC IP address on your GPRS terminal (be it a laptop PC, a PDA, or phone)
Some carriers do offer what is called a "dedicated APN" provision, which gives the subscriber their own IP range to choose from (almost like a small subnet), but it is only available to corporate giants like Pepsi (for example).
Now, to sum it up, you must have the proper APN provisioned on your Mobile SIM account (which the provider will normally call something like a "VPN data package" in billing terms). Then, you must obviously establish a GPRS session before you can connect your VPN client (but remember that most basic VPN clients work the best). It is pretty sad to say, but Microsoft Windows-embedded VPN client on Win2k/XP Pro so far has performed the best with no quirks whatsoever. It has to be via PPTP...L2TP has also worked for me..otherwise, the fancier (and more secure) the VPN tunneling protocol, the more its likely to fail. Normally all you need for a basic MS WIndows VPN client config is the Server name (or IP address), the user name, and the password.
Hope this helps,
Let me know how it goes,
Alex
PS. PM me if you have further questions.

VPN and TS Its like pulling teeth
hi all this has got to be the most anoying problem ever. i can connect to O2 vpn access point and hence i can connect to my work vpn server. however as soon as i try to open a TS connection to my desktop (through the vpn) the VPN connection is dropped and i never connect. Can anybody tell me why? if i have a vpn connection to my work server why does TS try to make another connection and bomb out the original. Is there a fix or another way of doing this i.e. does a external IP have to be nat'd to my desktop IP on port 3389? all help greatly appreciated. Ian

PocketPC program to update dynamic DNS name at DynDNS.org?

Yet another way that your device can be protected is whenever it's able to hit the internet. It would update a dynamic DNS entry on your account at DynDNS.org with hopefully a public IP address it gets and from there, if you have a program like SOTI Pocket Controller Professional, you can instantly gain remote access to the device. That's just one program of many that could benefit from this.
Is there any program for the Pocket PC that updates a dynamic DNS name there?

Any news on programs like this?
Would be very much appreciated!

If you look up posts by OdeeanRDeathshead you will find a discussion somewhere (sorry, don't remember the exact link) that you can't get a public IP over GPRS connection, so unless the phone it self initiates a connection you can not reach it.
This means that unless you device is connected via WIFI a program like this would be useless.
Sorry to be the bearer of bad news.

OK, I understand that.
I found an IP using www.whatsmyip.org. For example 123.123.123.123
I'm using my phone to connect to an Exchange Server. But I only want my phone to reach te server, so I have set up my firewall to forward (NAT) certain ports from source 123.123.123.123 to the Exchange Server. The rest of the IP's are going somewhere else.
But the IP changes of course, guess T-Mobile has more gateways in use. Maybe to another everytime you connect.
Is there a program that sends a query to whatsmyip.org (or another site like this) and then updates the IP address in a DNS record (like dyndns.org). Any help would be appreciated.

WiFi settings

I want to make a WiFi connection on my school. But I have to make some setting changes. I have the HTC Trinity with WM6.
I have to satisfy to these settings:
- Wlan network name: tue
- Security mode: 802.1x with dynamic WEP keys
- Authentication protocol: PEAP with MSCHAPv2
- Root certificaat: GTE Cybertrust Global Root
Where do I make these changes?

On your's school router or wifi access point in your school

but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda

Markos said:
but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda
Click to expand...
Click to collapse
If it is set on your's router in school, then your PDA or smartphone will see these settings automatically
Otherwise look in start-settings(instellingen)-connections(verbindingen)-wi-fi, there you can add new network connection and apply these settings

But that's the problem.. I can't apply these settings.
When I configure Netwerk Authentication I'll come till "Use IEEE 802.x network acces control"
When I select this and choose for PEAP and I want to change the Properties I get this message:
Warning
Cannot log on to the wireless network. This network requires a personal certificate to positively identify you
Click to expand...
Click to collapse
Where can I make and/or change this personal certification?

been having the same message, anyone knows where to find the certificate?

Hi,
So,
1. You want to connect wirelessly to your School's network, right? .......and that
2. The network settings that you stated in your opening post were given to you by your School Network Administrator, right? ......finally, that
3. Your School Network Administrator had indeed, ACTUALLY given authority to your device (HTC Trinity) in the Access Control List to access the school's network, right?
In that case, he (the School Network Administrator) MUST have assigned an IP Address to your device (or entered its MAC address and configured it as such, inside the router/wireless access point.
Did you make sure that he did actually do so? Ask him to confirm this for you. I'm saying this because if he (the School Network Administrator) hadn't configured your device to have access to your school's network, you'll be wasting your time trying to access it, 'cos as you know, it is a secure network hence, it can not identify your device.
The only way that your device could be identified to access the school's network (never mind the settings provided in your opening post), is only, and only if, it had been configured in the ACL - Access Control List within the router, otherwise every Tom, **** and Harry would simply access the school's network, willy-nilly and wreak all sorts of havoc. See what I mean?
If indeed, he (the School Network Administrator) had given you access to the school's network, just ask him or her to give you the IP Address that he assigned to your device and then enter it in the Wi-Fi configuration of your network in Trinity, as you had been doing and everything should work fine - no more headaches!!
BOTTOM LINE:
If there is no entry for your device in the Access Control List of the school's router/wireless access point, you've got no chance 'cos your device would be refused access at all times because the router/wireless access point does NOT recognise it.
You ask him (the School Network Administrator) to give access to your device - either by using it's MAC address or IP Address), then you'll be laughing 'cos then you'll be able to have access, wirelessly.
I do hope that this gives you pointers to help solve your problem 'cos that's the only solution that I can offer.
kiwi992.

Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?

Absence said:
Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?
Click to expand...
Click to collapse
This has bugged me for a long time with Windows Mobile 5/6 & 802.1x with PEAP (WEP & WPA/WPA2). You should in theory be able to just use MSCHAPv2 and a Username/Password to authenticate yourself but there seems to be no way of turning off the client checking the servers validity - i.e. having a valid & trusted certificate (you can disable this checking with Windows XP's 802.1x supplicant). So all you should need is the servers public certificate installed on your device.
When I was testing this a while ago I had some sucess but the 'personal certificate' message was a problem. In the end I just enrolled the device with the domains CA and have a personal certificate installed (as well as the CA's certificate which gets installed at the same time).
Enrolling for certificates is much easier now with Windows Mobile 6 and ActiveSync 4.5 since you can enroll the device from ActiveSync on the host PC.
HTH
Andy

Interesting, Andy,
I haven't yet had the chance to test this change yet, but a few searches has turned up a registry key that we can add -
(quoted from somewhere on the internet)
"The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
Have you tried making this change before just registering a certificate? If it doesn't work, do you remember the basic steps for retrieving a certificate from a computer via activesync? If I do transfer a certificate from a laptop, do I need to register the device with the administrator? It seems that everyone from the IT department I've talkd to has no idea what they're talking about.

wifi network questions on HTC HD2

Hi,
Using a HTC HD2 I am trying to access my home network via WIFI (WPA2/PSK - AES). Some of it works, some of it doesn't and I was hoping some of you would be able to point me in the right direction:
I can connect to intranet pages (for instance utorrent web interface) via IP, but not via hostname.
I cannot connect to network (smb) shares at all, either via IP or hostname.
A program which requires the hostname to work (since I use it over Hamachi VPN as well as locally and don’t want to change the IP based on how I use it) does work over Hamachi and not over WIFI.
I'm quite confused
Any help would be greatly appreciated!
Cheers,
Elco

Sounds like your DNS isn't working. Do you have custom DNS servers configured in the "Name Servers" tab of network card config?

Yhanks for responding!
It should get it from DHCP (though I have tried assigning a static IP and dns, but this gave the same result)
Also, I have another older win mobile device, and with the same setttings it does allow me to access the network shares (by IP and hostname)
I've combed all settings regarding wifi and network, but since they are the same I am guessing it is probably a different at the registry level?
The HTC HD2 does have 2 broadcom wifi adapters mentioned though, a normal one and one with a DHD postfix.
Cheers,
Elco

@Talisman_: same problem here. have you solved it?

Exactly same problem on xperia x2. I just set on manual temporary.

Are you using Hamachi on your phone?
Did you have this problem prior to installing Hamachi?
The reason being is Hamachi installs a network interface which exists whether or not Hamachi is running
You may want to check your Data Connection settings and see if it has applied the "requires a proxy" setting

What are you using as your DNS server though, that is the question.
If it's your broadband router, then chances are it won't be able to serve DNS requests for internal devices (ie computers on your home network).
If that's the case, you'll need a proper DNS server (get an old PC and install Linux) and create a local domain such as home.local, or if you've got a registered domain, you can even set it up the same (domain.com for instance) just tell the DNS server it's the domain master.
It's been yonks since I played around with Linux so I can't tell you how, much easier with Windows Server
Some people advise against using the same public domain name as an internal domain name, but it just means you add A records for any public addressess such as WWW.domain.com or mail.domain.com if it's accessable outside your network as well as inside.
Alternatively, if you're only going to be accessing them via the home network then you could try adding a few hosts to your registry (use the windows calc or similar to convert each IP address number to Hex)
http://windowsmobilepro.blogspot.com/2006/04/etchosts-file-equivalent-in-windows.html
As always, you modify the registry at your own risk.