I was wondering if anyone was using OpenVPN with CM7 here, and if so -- are you able to successfully use the extra arguments area to set --tls-auth arguments?
I have my key for TLS auth stored in a folder called openvpn on my SD card...
I am using:
--tls-auth /mnt/sdcard/openvpn/static.key 1
in the additional arguments section.. Ive done MD5 compares between the server static.key and whats on the phone, and they are identical.. The server is OpenVPN running on TomatoUSB, and "Extra HMAC Authorization" on the server is set to "Incoming (0)"
The configuration works fine with my laptop, but on my phone it does not seem to be picking up the option... The server log shows it attempting and throwing the error "TLS Error: cannot locate HMAC in incoming packet"
If I turn Extra HMAC Authorization off on the server, I connect fine.. The reason I am wondering if the argument is even being picked up is because if I leave it in there, and disable tls-auth on the server, it connects without complaint. From what I understand, both the server and client need to have the option set or unset, otherwise a connection cannot be negotiated.
Anyone else?
Thanks,
Rick
Related
HI guys,
Got my new TyTn out the box, set it up with some of my files, now i am trying to sync with my exchange server.
If I take off SSL, it tells me I don't have permission to initiate sync, which i know i do, cause i set it up on my account.
If i put SSL on, it says the server cannot be reached,
Could someone out there please help me. I have been trying for weeks, in the end i thought it was the unit, so this is my new unit now.
Be sure that the OWA folder (http://yourserver/exchange) has the "require SSL" unticked in security option of IIS, also check that integrated authentification is ticked.
Check that your tytn trust the CA and that the cert match the server name (with both internal/external DNS if possible).
If you want to go without SSL (which is far from being a good idea, everything will go through the network in plain text) have a check in the server log; there will be a critical event explaining you what is going on and what to do in that case
Hi man,
Thanks for the response, how do i issue the CA certificate for the Tytn from the server?
Is that maybe my problem that the relationship between the device and the server hasn't been established properly?
I just want to get my e-mail, why has microsoft made it such an issue?
Surely if you enter in all the correct details for the server and the user account it should work, just like setting up teh IMAP with the send and recieve schedule like u used to on the IIi's?
Appreciate the help mate
Thanks
Microsoft deny you to check your email if you don't trust the CA. This is normal and a part of the SSL security; SSL certs are used to cipher AND to auth.
If the certificat is not issue by a trusted root CA it won't be trusted by your device. You have to connect to http:/ca_server/certsrv and here select "download" CA cert. Just transfert the cert to your device and set it up. If you can not acces the CA web service that way you may be able to gather the certificate while surfing to te OWA with explorer: go to https://your_server/exchange click on the little lock, go to "certification's path" double click the certificat on the top of the "tree" go to detail and select save to file. Select *.cert format and then finaly send this file to your PPC.
No can't connect to the Cert page, and with the OWA page, if you mean the little lock that appears at the bottom of some web pages in one of the blocks, I don't get that with my OWA. I am a bit lost...
ruski said:
No can't connect to the Cert page, and with the OWA page, if you mean the little lock that appears at the bottom of some web pages in one of the blocks, I don't get that with my OWA. I am a bit lost...
Click to expand...
Click to collapse
use https://your/owa instead of http://your/owa. Using the OWA without cipher is far from being a good idea; your user/password (wich is in fact an active directory user, that a some power) goes in plain text through the internet.
aaw, man, Thanks so much, I see now... OK, I will get the certificate off tomorrow and copy it onto my Tytn. I really hope that works! Thanks for your help!
OK, now I have made the certificate and copied it onto the Tytn, Still says The server could not be reached! Support code: 0x80072EE2
Ok, just want to check, when setting up the server, under server name, I have the servers external IP address. SSL is ticked, the user name and password and domain should be correct, username is @domain.local
Other than that, not much complicated, i don't seem to be understanding microsofts issue here, i have searched for white papers, which seem to be very vague and no step by step on how to set it up.
Hooooaarg speaking english is giving me headache
You are only satisfying one of the requirement at now:
-Your tytn trust your CA
In IIS you have issued a certificat to a name, for instance server.domain.local; if you contact this server through a SSL connexion by another name you will get an error; the name you accessed doesn't match the name in the certificate; so for IE and your PPC the security may be compromised. In active sync, under server name, you have to enter the exact same name you entered when you issued the SSL certificat in IIS, if it is internal (server.domain.local) it will only work as long as you are on your network. There are several ways to solve that; you can revoque this certificat in IIS and issue a new one matching your external DNS, with this solution you will be able to setup your activesync to connect through the external name of your server, keep in mind that NAT forwarding must be configured to route the traffic from HTTP socket (80) to the exchange server.
You can also setup a VPN server (L2TP/IPSEC should work fine), so that you will always be on the internal network and so able to get your email. This should be the safest way to go, but I guess that it generate more traffic, thanks to the encapsulation; so if you are greedy and pay per byte, avoid this solution.
You could, at last, also disable the SSL encryption; but in my opinion this FAR from being the good way to go, it should only be used for testing purpose.
If you can speak afrikaans I will happily change! lol
OK, if I turn off SSL and connect to the server external IP, it says I don't have permission to synchronise,
If i turn on SSL it tells me the server can't be reached, wish it would make up it's mind.
I am not very good with IIS, I am staring at it now. I am not sure if i did the certificate thing right. As there are 2 options to export , DER encoded and Base-64, I used DER first time round.
If i try and access the server name ie. https://servername it says i cannot use my existing connection and must check properties.....
Thanks for your help man!
You may want to check that you are also forwarding port 443 or what ever port you are using for https access for external use at the server end.
You had to get ActiveSync permitted for your account (by administring it with "Active Directory users and computers" in one of the tab for your users) but you also need it activated on the Exchange "System Manager" under organisation settings (have a look at www.httpsync.net)
André
Hi all,
I am new to the HTC (just got one this week , and would love to get push email working from my Exchange 2003 server.
I have used the reg hack to stop WM5 from requiring a valid SLL cert, and installed my Exchange 2003 server's SSL certificate on my device.
However, when I try to connect, the device keeps prompting me for my password, and does not accept it when I enter it.
I have seen this on other forums, but never seen a solution to it. I would be very grateful for any advice.
Great site btw!
first of al .. you don`t need a reghack to get ssl working..
just look at this site.. for your server..
http://www.visualwin.com/SelfSSL/
follow these steps.. remember.. if your server is avalible under
https://blabla.com/exchange name your ssl certificate: blabla.com
After this go to https://blabla.com/exchange install the certificate in youre IE on your pc..
then in IE tools -- options --- content --certificates -- trusted..
find your certificate and export this on your desktop. now with active sync transport your certificate to your mobile and install it, just with clicking on it.
Now the problem that you have is the auth part on your IIS on microsoft-active-sync virtual directory..
On the default directory set plain , ntlm, and windows intergrated
auth options on..
on the microsoft-active-sync only the plain text and ntml.
If this wont work play around with auth settings on microsoft-active-sync virtual dir.. trial and error.. but somewhere there is your answer and youre problem.
IMPORTANT turn of : require secure channel (ssl) on your server
Windows mobile cannot work with that
Yeah SSL needs to be enabled and setup on the exchange server. Also check your user policys to make sure they are set up correctly. We set up exchange systems daily at work and the most common problem we see is someone has messed up their policys in exchange.
Thanks for the reply's
I have had another crack, but am now getting an error on Activesync when sync'ing:
Support Code: 0x85010014
I am not sure what this points to....
I am still a little confused with my IIS6 authentication settings.
My "Exchange" vdir is set to Integrated and Basic authentication.
My "Microsoft-Server-Activesync" app is set to basic only.
My "OMA" app is set to basic only.
The "Exchange" vdir is the only one set to require ssl connections.
Thanks again for your time.
Fixed it! Followed this guide from Microsoft that helps create an oma directory especially for use by Activesync without using SSL:
http://support.microsoft.com/default.aspx?kbid=817379
Trying to set up ActiveSync on my Telus P4000 (Titan), although the issue should be the same with an WM6.1 phone...
I can't for the life of my figure the right server settings to enter in the Configure Server section, and I have yet to find a definitive "this is how you do it" procedure for it. As near as I've been able to glean, for the "Server address" section, you give it JUST the domain name of the Exchange server, without an http:// or a /exchange or /oma or anything... correct so far? But the catch in my particular instance is that Exchange web access is on port 8080, rather than 80 or 433.
I've tried adding a :8080 to the server address, I've tried adding the http:// and/or https://, I've tried adding the /oma and /exchange to the end, and all combinations of the above, with no luck... when I go back into the settings, it's reverted to JUST the domain name. Is there somewhere else I can tell it to use a non-standard port? Registry key, maybe?
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Soundy106 said:
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Click to expand...
Click to collapse
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
playerkiller said:
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Click to expand...
Click to collapse
I've searched everywhere for info on using non-standard ports for activesync, and I haven't found anything, and I couldn't get it to work.
jeen said:
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
Click to expand...
Click to collapse
Yeah, did that... still not helping
Go to first new post ActiveSync config for Exchange
Exchange ActiveSync cannot access the server if SSL is set to be required. For
information about how to correctly configure Exchange virtual directory
jeen is right. Unless the certificate is issued form a Trusted Certificate Authority, you will need to import the issuing CA in the Root Certification Authority store of your Phone.
If it's a self signed cert, just export it from exchange server (without Private key) and copy it to your phone. Then, double click it from File Manager. This should be enough.
^Yeah, I did that right off the top (see my reply to jeen). Still no joy.
Perhaps Tendulkar can finish his thought...
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Win2008 (IIS7)
Open IISManager.
Navigate through site, default website, hilight Microsoft-Server-ActiveSync.
Make sure you have the features view selected (should be by default).
Choose SSL Settings.
Unflag "Remove SSL".
Obviusly click Accept.
playerkiller said:
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Click to expand...
Click to collapse
Hmmm... "require SSL" was already un-checked. I've re-checked it, let's see what happens with that.
OK lemme know.
make sure you have the same root certificate installed also. you have to trust the same certificate authority as the certificate that you have on your exchange server.
Did anyone find solution
I am having same problem. Certificate installed and tried all connection settings that can find on internet. Cannot get ActiveSync to syn with my server (same certificate error, but hosting company states tested with WM6.1 that all is working fine on their end) and also cannot get Windows Live Messenger to work, states there's a connectivity problem. Funny thing is MMS, surfing net with IE, and Google Maps with GPRS work fine. Only Microsoft network products are not working. My phone is Palm Treo Pro with WM6.1 Professional. Vodaphone version but bought in China and have since added A4 Chinese text editor, which I think could be problem, but need to hard reset phone to check. Any ideas? Better yet, any solutions?
One tip for getting this working in my case (same certificate errors) was that I had to get the certificate off the internally facing OWA server, rather than the externally facing version. Although they're both the same server, the external one goes through an IAS box which seems to be presenting its own certificate rather than the one on the exchange server. Don't ask me - I don't run the system.
As soon as I add the Internal version of the cert, Exchange, OTA Sync and ActiveSync spring into life.
hi all ppl, i was wondering if anyone could help with setting up a vpn on my home.
the router/firewall that acts as a server is a netgear dg834g and I would like to connect my HD. i never get to connecting and the errors are:
- when i use ip address it asks for log & password. I haven't set up any log/pass in the router as there is NO possibility to do that! then i try to login as administrator (from the local PCs) and the error is "the remote party has ended this connection." same thing if i leave both fields blank.
- when i use the dyndns alias everything happens the same way but the error msg i get then is "VPN server problems. Verify your username and password, and try again etc etc".
note that i have setup both machines to use ipsec with a pre-shared key which is typed correctly (it seems to be recognized/accepted by the router)
am i missing something stupid here or simply my router does not support winmo ?
any help/tip will be highly appreciated. thanks!
check the mac address filtering tables, or try to experiment with different authentications mode.
Hey all,
Just wondering if anyone got l2tp over ipsec using pre shared key to work on their tablet. I keep getting a bad username and password error. Server says that it was a chap authentication error. I use the username and password on my laptop without problem. I am using Astaro v8 as my vpn server.
Thanks!
Having the same problem here with Astrill, connects no problem on my Captivate....any ideas??
Before anyone thinks I'm retarded, I'd like to point out my iphone and computer connect properly.
I turned on debugging in the logs on my vpn server and the only noticable difference I can see is that the Iconia A500 sends over the password as an MD5 hash. My iphone sends it as an MS-CHAP v2. Probably why I get a bad username/pass error.
Finally got it working.
I'm not too familiar with Astrill, but on Astaro I had to require mschap-v2 authentication. Theres no option in the WebUI for that so I had to ssh into it and make the change to the configuration file directly.