Database Users

l2tp VPN on JASJAR

Hi, has anyone successfully used l2tp on their JASJAR (using a certificate, not a shared secret)?. For some reason our certificate does not seem to work on the JASJAR, it works fine with Windows Mobile 2003 SE devices, but on Windows Mobile 5 the l2tp connection just fails directly (complaining about the username/password) without sending one bit of information to the VPN server. Any help is appreciated.
Kim

I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.

If you guys want a good and secure remote desktop program try:
http://www.logmein.com
Change resolution to 640x480 and you have a full desktop pc on yout universe.
Believe me it's the best.

df2jh said:
I FOUND THE REASON!
It´s the smart dialer. Deactivate it by removing the operator phone skin
* The setting is at 'HKEY_LOCAL_MACHINE\Security\Phone\Skin'
* The 'Enabled' value must be set to '0' to show the default skin
In case if you like your operator´s buttons more than the default, delete or rename the 'ext' value. Unfortunately the button for video calls is removed by these actions. But L2TP VPN will work instead.
Click to expand...
Click to collapse
Yeah! I can verify this, though nowadays I'm using an HTC TyTN, but the same problem still exists. Note though that you don't have to remove the operator phone skin, just disable smart dialing from the phone:
Menu/Smart Dialing Options.../[ ] Enable Smart Dialing
Now the VPN works, but it still might randomly fail IF you have your mailbox open The VPN will work again if you close the Inbox application, so no reboot is needed anymore. I have to look into the Inbox problem a bit more ...
Kim

I have tried this (diabling Smartphone) on my MDA Pro II, but still get the symptoms described above.
The basics work (PPTP, L2TP/IPSec with pre-shared key).
I have my SBS2003 CA authority cert installed in the Trusted certs stash. I assume that I need a device certificate.
I have a Windows Server CA. What type of certificate do I need to install, and how, to get the L2TP/IPSec client to pick up the right stuff.

Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G

gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
No - we now publish a TS session from our servers.

gquipster said:
Has anybody ever managed to get a connection to a Cisco VPN? I just can't get it to work at all :-(
G
Click to expand...
Click to collapse
Yes. Assuming that you are using IOS, you will need something like
Code:
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
! Not all of the options are necessary
interface Virtual-Template1
! BVI1 cd be some other interface
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
! Easier to get the IP address from a local pool
peer default ip address dhcp
ppp mtu adaptive
! optional
ppp lcp predictive
! eap only if you authenticate users by certificates
! You will need to ensure that it matches your
! aaa authentication ppp default ...
! You may also need a
! aaa authorization network ...
ppp authentication eap ms-chap-v2
! optional
ppp ipcp header-compression ack
! optional
ppp ipcp predictive
! necessary to get unique DHCP addresses
ppp ipcp username unique
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <yourkey> address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYN-L2TP 100
set transform-set 3DESSHA
!
!
crypto map STATIC-L2TP 100 ipsec-isakmp dynamic DYN-L2TP
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
! whatever is needed for your external interface
!
crypto map STATIC-L2TP
for pre-shared key access.

Not to be stupid but IOS?
How would I set this up?
Being able to access work would be fantastic!!!
Thanks!!!
G

Sorry, but these are configuration commands for your Cisco router.

Ah yes there in lies the rub. It's work's VPN server which I want to access :-(
Been considering seeing if i can set up a VPN tunnel through my home firewall (Netgear) so theoretically I could connect over the net to my firewall and then over my firewall to works VPN but I don't know much about it to be honest

Wizard And Wpa??

Hey together,
I´m searching for an update or something else, so I can use my Wizard in a WPA wireless environment.
Can somebody help me, what I can do???
Thanks a lot
br
Martin

The Wizard has always supported WPA/WPA-PSK Authentication and TKIP Encryption. It is easy to set up but if you use the WPA-Enterprise (NOT WPA-PSK) with 802.1x PEAP or EAP-TLS then it requires Certificates to be installed on your device. Server Certificates can be installed easily by way of a .CAB file but you must enroll for Client Certificates. HTC include a Certificate Enrollment untility the 'Wireless' utility, however this requires a Windows 2000/2003 CA Server and cannot enroll with other CA's.
AKU 3.x added support for WPA2/WPA2-PSK Authentication and AES Encryption, however since a real AKU 3.x update has never been provided for the Wizard there are only hacked versions available (Faria's etc). I can confirm though that Faria's AKU 3.3 ROMs have this support and it does work (I am now only using WPA2 & AES at home and it works well). WPA2 has the same authentication requirements as WPA (i.e. Certificates).
Setting the Wireless AP's up varies on each device type, plus WPA-PSK/WPA2-PSK doesn't require Radius server(s) configuring whilst WPA/WPA2 does.
Andy

WiFi settings

I want to make a WiFi connection on my school. But I have to make some setting changes. I have the HTC Trinity with WM6.
I have to satisfy to these settings:
- Wlan network name: tue
- Security mode: 802.1x with dynamic WEP keys
- Authentication protocol: PEAP with MSCHAPv2
- Root certificaat: GTE Cybertrust Global Root
Where do I make these changes?

On your's school router or wifi access point in your school

but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda

Markos said:
but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda
Click to expand...
Click to collapse
If it is set on your's router in school, then your PDA or smartphone will see these settings automatically
Otherwise look in start-settings(instellingen)-connections(verbindingen)-wi-fi, there you can add new network connection and apply these settings

But that's the problem.. I can't apply these settings.
When I configure Netwerk Authentication I'll come till "Use IEEE 802.x network acces control"
When I select this and choose for PEAP and I want to change the Properties I get this message:
Warning
Cannot log on to the wireless network. This network requires a personal certificate to positively identify you
Click to expand...
Click to collapse
Where can I make and/or change this personal certification?

been having the same message, anyone knows where to find the certificate?

Hi,
So,
1. You want to connect wirelessly to your School's network, right? .......and that
2. The network settings that you stated in your opening post were given to you by your School Network Administrator, right? ......finally, that
3. Your School Network Administrator had indeed, ACTUALLY given authority to your device (HTC Trinity) in the Access Control List to access the school's network, right?
In that case, he (the School Network Administrator) MUST have assigned an IP Address to your device (or entered its MAC address and configured it as such, inside the router/wireless access point.
Did you make sure that he did actually do so? Ask him to confirm this for you. I'm saying this because if he (the School Network Administrator) hadn't configured your device to have access to your school's network, you'll be wasting your time trying to access it, 'cos as you know, it is a secure network hence, it can not identify your device.
The only way that your device could be identified to access the school's network (never mind the settings provided in your opening post), is only, and only if, it had been configured in the ACL - Access Control List within the router, otherwise every Tom, **** and Harry would simply access the school's network, willy-nilly and wreak all sorts of havoc. See what I mean?
If indeed, he (the School Network Administrator) had given you access to the school's network, just ask him or her to give you the IP Address that he assigned to your device and then enter it in the Wi-Fi configuration of your network in Trinity, as you had been doing and everything should work fine - no more headaches!!
BOTTOM LINE:
If there is no entry for your device in the Access Control List of the school's router/wireless access point, you've got no chance 'cos your device would be refused access at all times because the router/wireless access point does NOT recognise it.
You ask him (the School Network Administrator) to give access to your device - either by using it's MAC address or IP Address), then you'll be laughing 'cos then you'll be able to have access, wirelessly.
I do hope that this gives you pointers to help solve your problem 'cos that's the only solution that I can offer.
kiwi992.

Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?

Absence said:
Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?
Click to expand...
Click to collapse
This has bugged me for a long time with Windows Mobile 5/6 & 802.1x with PEAP (WEP & WPA/WPA2). You should in theory be able to just use MSCHAPv2 and a Username/Password to authenticate yourself but there seems to be no way of turning off the client checking the servers validity - i.e. having a valid & trusted certificate (you can disable this checking with Windows XP's 802.1x supplicant). So all you should need is the servers public certificate installed on your device.
When I was testing this a while ago I had some sucess but the 'personal certificate' message was a problem. In the end I just enrolled the device with the domains CA and have a personal certificate installed (as well as the CA's certificate which gets installed at the same time).
Enrolling for certificates is much easier now with Windows Mobile 6 and ActiveSync 4.5 since you can enroll the device from ActiveSync on the host PC.
HTH
Andy

Interesting, Andy,
I haven't yet had the chance to test this change yet, but a few searches has turned up a registry key that we can add -
(quoted from somewhere on the internet)
"The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
Have you tried making this change before just registering a certificate? If it doesn't work, do you remember the basic steps for retrieving a certificate from a computer via activesync? If I do transfer a certificate from a laptop, do I need to register the device with the administrator? It seems that everyone from the IT department I've talkd to has no idea what they're talking about.

WPA2-Enterprise

I have tried searching the forums information about the possibility to use WPA2-Enterprise on Windows Mobile. What i have found is that is not currently implemented in WM6. Does anyone have information if it implemented in WM6.1? Are there any 3:rd party applications that can give you access to a WPN2-Enterprise network?
//Awi

WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.

vdot said:
WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.
Click to expand...
Click to collapse
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy

ADB100 said:
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy
Click to expand...
Click to collapse
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks

devil_82 said:
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks
Click to expand...
Click to collapse
All you need on the PDA is the servers public certificate to be in the Root Certificate store, you don't actually need a personal certificate on the PDA (unless you are performing PEAP with user certificates as opposed to PEAP with EAP-MSCHAPv2). To do this you would need to export it from the server or your PC and then import it on your PDA.
There is a post in another thread about disabling the certificate validation with WM5/6 which I haven't tried but looks like it should work and you wouldn't need to import the certificate:
http://forum.xda-developers.com/showthread.php?t=283380
Andy

wifi network questions on HTC HD2

Hi,
Using a HTC HD2 I am trying to access my home network via WIFI (WPA2/PSK - AES). Some of it works, some of it doesn't and I was hoping some of you would be able to point me in the right direction:
I can connect to intranet pages (for instance utorrent web interface) via IP, but not via hostname.
I cannot connect to network (smb) shares at all, either via IP or hostname.
A program which requires the hostname to work (since I use it over Hamachi VPN as well as locally and don’t want to change the IP based on how I use it) does work over Hamachi and not over WIFI.
I'm quite confused
Any help would be greatly appreciated!
Cheers,
Elco

Sounds like your DNS isn't working. Do you have custom DNS servers configured in the "Name Servers" tab of network card config?

Yhanks for responding!
It should get it from DHCP (though I have tried assigning a static IP and dns, but this gave the same result)
Also, I have another older win mobile device, and with the same setttings it does allow me to access the network shares (by IP and hostname)
I've combed all settings regarding wifi and network, but since they are the same I am guessing it is probably a different at the registry level?
The HTC HD2 does have 2 broadcom wifi adapters mentioned though, a normal one and one with a DHD postfix.
Cheers,
Elco

@Talisman_: same problem here. have you solved it?

Exactly same problem on xperia x2. I just set on manual temporary.

Are you using Hamachi on your phone?
Did you have this problem prior to installing Hamachi?
The reason being is Hamachi installs a network interface which exists whether or not Hamachi is running
You may want to check your Data Connection settings and see if it has applied the "requires a proxy" setting

What are you using as your DNS server though, that is the question.
If it's your broadband router, then chances are it won't be able to serve DNS requests for internal devices (ie computers on your home network).
If that's the case, you'll need a proper DNS server (get an old PC and install Linux) and create a local domain such as home.local, or if you've got a registered domain, you can even set it up the same (domain.com for instance) just tell the DNS server it's the domain master.
It's been yonks since I played around with Linux so I can't tell you how, much easier with Windows Server
Some people advise against using the same public domain name as an internal domain name, but it just means you add A records for any public addressess such as WWW.domain.com or mail.domain.com if it's accessable outside your network as well as inside.
Alternatively, if you're only going to be accessing them via the home network then you could try adding a few hosts to your registry (use the windows calc or similar to convert each IP address number to Hex)
http://windowsmobilepro.blogspot.com/2006/04/etchosts-file-equivalent-in-windows.html
As always, you modify the registry at your own risk.