[[:start|zurück]]
**[[nokia:vpn_update | additional updated information ]]**
====== Nokia E71 and Openswan 2.4.x =====
I try to use my Nokia E71 with Openswan 2.4.x. Unfortunately the very same vpn/ipsec configuration that used to work with my old E60 does not work anymore. On these page I'll document what I've tried. **Using XAUTH fixed the issue.**
Most of the stuff is stolen from http://www.thorsten-knabe.de/linux/e61.jsp
Contact: vpn@paepstin.info
====== Recent changes and notes ======
* **2008-12-07:** 3G problems might be related to [[o2:umts|"Broken PMM-IDLE or FACH to DCH transtion(german)?"]]
* **2008-11-13:** The past few weeks I've noticed that the VPN is quite stable using wifi, but with 3G connections it's quite bad. I usually breaks after the first rekeying. Maybe the connection will be better after the first firmware upgrade.
* **2008-09-09:** //smallmeter// refered to some errors: http://discussions.europe.nokia.com/discussions/board/message?board.id=communicators&view=by_date_ascending&message.id=25220
* **2008-09-09:** //mjk2000// claims that the new VPN Client update will work without XAUTH. http://discussions.europe.nokia.com/discussions/board/message?board.id=communicators&thread.id=22142 I haven't verified that yet.
* **2008-08-22:** Changed rekey=yes to rekey=no. Phone will initiate rekeying after 3600s. Should succeed till end of ikelifetime of 8h. After that, the VPN connection will break, no idea why.
* **2008-08-22:** Explained the patch //New NAT traversal preference//
====== Notes =====
If you need NAT-t you should change the vendor.h as describe in [[vpn#new_nat_traversal_preference|New NAT traversal preference]].
====== Certificate generation ======
I used the pkitool from http://www.openvpn.net
* adjust vars
* . vars (source vars)
* ./clean-all (clean keys)
* ./pkitool --initca (initialize root ca)
* -> keys/ca.crt
* ./pkitool --server fqdngw (generate server certificate for use on the gateway)
* -> keys/fqdngw.key
* -> keys/fqdngw.crt
* ./pkitool fqdncl (generate a client certificate)
* -> keys/fqdncl.key
* -> keys/fqdncl.crt
===== Preparing certificates =====
Merging client certificate and client private key in one pkcs#12 file:
openssl pkcs12 -export -in fqdncl.crt -inkey fqdncl.key -out fqdncl.p12
Converting the root ca from pem to der:
openssl x509 -inform PEM -outform DER -in ca.crt -out ca.cer
===== Why using the same certificate everywhere is not a good idea. ====
FIXME
====== Gateway configuration ======
I tried pre shared key and certificate based authentication.
**ipsec.secrets**
: PSK "mypassword"
: RSA /etc/ipsec.d/private/fqdngw.key
PSK should be self-explanatory. RSA it the //unencrypted// private key of the gateway certificate.
**e71.conf - PSK**
:!: Uncomment XAUTH and it will work.
conn E61
# Key exchange
ike=aes256-sha1-modp1536
# Data exchange
esp=aes256-sha1
# Authentication method PSK
authby=secret
auto=add
keyingtries=10
rekey=no
#keylife=3600s
ikelifetime=8h
pfs=no
# Modeconfig setting
modecfgpull=yes
# local endpoint
left=
leftxauthserver=yes
leftmodecfgserver=yes
leftsourceip=10.28.39.1
leftsubnet=0.0.0.0/0
# remote endpoint
right=%any
rightxauthclient=yes
rightmodecfgclient=yes
rightsourceip=10.28.39.2
rightsubnet=10.28.39.2/32
**e71.conf - RSA**
conn E61
# Key exchange
ike=aes256-sha1-modp1536
# Data exchange
esp=aes256-sha1
# Authentication method PSK
authby=rsasig
auto=add
keyingtries=10
rekey=no
#keylife=3600s
ikelifetime=8h
pfs=no
# Modeconfig setting
modecfgpull=yes
# local endpoint
left=91.143.80.246
leftxauthserver=yes
leftmodecfgserver=yes
leftsourceip=10.28.39.1
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
leftcert=fqdngw.pem
# remote endpoint
right=%any
rightca=%same
rightrsasigkey=%cert
rightxauthclient=yes
rightmodecfgclient=yes
rightsourceip=10.28.39.2
rightsubnet=10.28.39.2/32
* copy fqdngw.key to /etc/ipsec.d/private/
* copy fqdngw.crt to /etc/ipsec.d/certs/
* copy ca.crt to /etc/ipsec.d/cacerts/
The path might differ on other distributions.
====== Mobile configuration ======
Good news, it's now much easier to create a policy file:
zip mynewpolicy.zip mynewpolicy.pol mynewpolicy.pin
mv mynewpolicy.zip mynewpolicy.vpn
and with certificates:
zip mynewpolicy.zip mynewpolicy.pol mynewpolicy.pin ca.der fqdncl.p12
mv mynewpolicy.zip mynewpolicy.vpn
Move mynewpolicy.vpn to the mobile an start it. Your done.
===== e71.pol - pre-shared keys =====
**set USE_XAUTH: TRUE**
SECURITY_FILE_VERSION: 3
[INFO]
keyvpn
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1() }
inbound = { }
outbound = { }
[IKE]
ADDR: 255.255.255.255
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: scheff32
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 8 PASSWORD
===== e71.pol - certificate =====
**set USE_XAUTH: TRUE**
SECURITY_FILE_VERSION: 3
[INFO]
certvpn
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1() }
inbound = { }
outbound = { }
[IKE]
ADDR: 255.255.255.255
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 9
FQDN: scheff32
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: RSA_SIGNATURES
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
CAs: 1
FORMAT: BIN
DATA: certvpn-ca.cer
OWN_CERTS:
FORMAT: BIN
DATA: user-1.cer
PRIVATE_KEY_FORMAT: BIN
PRIVATE_KEY_DATA: user-1.key
===== .pin file =====
[POLICYNAME]
certvpn
[POLICYDESCRIPTION]
Certificatebased
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit
[POLICYNAME]
keyvpn
[POLICYDESCRIPTION]
spezial
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit
====== The result ======
The openswan logs of the previous setups:
**pre-shared key**
Jul 12 12:26:06 gateway pluto[15771]: packet from :500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=118
Jul 12 12:26:06 gateway pluto[15771]: packet from :500: received Vendor ID payload [RFC 3947] meth=101, but already using method 118
Jul 12 12:26:06 gateway pluto[15771]: packet from :500: received Vendor ID payload [XAUTH]
Jul 12 12:26:06 gateway pluto[15771]: packet from :500: received Vendor ID payload [Cisco-Unity]
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] #1: responding to Main Mode from unknown peer
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: ignoring unknown Vendor ID payload [973b189b10687655bf998b0553b767c3]
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 12 12:26:07 gateway pluto[15771]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: Main mode peer ID is ID_KEY_ID: '@#0x7363686566663332'
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] #1: switched from "E61" to "E61"
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] #1: deleting connection "E61" instance with peer {isakmp=#0/ipsec=#0}
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] #1: I did not send a certificate because I do not have one.
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
**certificate**
Jul 12 12:27:33 gateway pluto[16034]: packet from :500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=118
Jul 12 12:27:33 gateway pluto[16034]: packet from :500: received Vendor ID payload [RFC 3947] meth=101, but already using method 118
Jul 12 12:27:33 gateway pluto[16034]: packet from :500: received Vendor ID payload [XAUTH]
Jul 12 12:27:33 gateway pluto[16034]: packet from :500: received Vendor ID payload [Cisco-Unity]
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] #1: responding to Main Mode from unknown peer
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] #1: ignoring unknown Vendor ID payload [108b9004aa90a56ab85f7987ca2726b7]
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 12 12:27:35 gateway pluto[16034]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=BW, L=Karlsruhe, O=scheff32.de, CN=flunder.scheff32.de, E=cert@scheff32.de'
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] #1: no crl from issuer "C=DE, ST=BW, L=Karlsruhe, O=scheff32.de, CN=scheff32.de CA, E=cert@scheff32.de" found (strict=no)
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] #1: switched from "E61" to "E61"
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] #1: deleting connection "E61" instance with peer {isakmp=#0/ipsec=#0}
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] #1: I am sending my cert
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}
It does not work with the E51 and the E71. The pre-shared setup works on my E60.
====== Patches ======
===== DNS Support =====
--- openswan-2.4.6/programs/pluto/xauth.c 2005-07-26 04:11:23.000000000 +0200
+++ openswan-2.4.6+dfsg.2/programs/pluto/xauth.c 2006-12-17 16:34:55.000000000 +0100
@@ -137,6 +137,28 @@
}
#endif
+/**
+ * Get IP address from environment variable
+ * @param var Environment Variable to get the IP address from. Usually IPADDR, DNS[12], WINS[12]
+ * @param addr Pointer to var where you want IP address stored
+ * @return int Return code
+ */
+static
+int get_addr_env(const char *var,ip_address *addr)
+{
+ const char *c;
+ int retval;
+
+ c = getenv(var);
+ if(c == NULL)
+ {
+ c="0.0.0.0";
+ }
+ retval = inet_pton(AF_INET,c,(void*) &addr->u.v4.sin_addr.s_addr);
+ addr->u.v4.sin_family = AF_INET;
+ return (retval > 0);
+}
+
oakley_auth_t xauth_calcbaseauth(oakley_auth_t baseauth)
{
switch(baseauth) {
@@ -239,6 +261,10 @@
}
#endif
}
+ get_addr_env("DNS1", &ia->dns[0]);
+ get_addr_env("DNS2", &ia->dns[1]);
+ get_addr_env("WINS2", &ia->wins[0]);
+ get_addr_env("WINS2", &ia->wins[1]);
return 0;
}
===== New NAT traversal preference =====
Located in ./programs/pluto/vendor.h
Assign ''VID_NATT_IETF_03'' a higher number than any other nat traversal method. It seems that openswan AND/OR the Nokia VPN Client is not RFC compliant. With all NATs that I've testet ''VID_NATT_IETF_03'' was successfull.
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =101,
VID_NATT_STENBERG_02 =102,
VID_NATT_HUTTUNEN =103,
VID_NATT_HUTTUNEN_ESPINUDP =104,
VID_NATT_IETF_00 =105,
VID_NATT_IETF_02_N =106,
VID_NATT_IETF_02 =107,
VID_NATT_IETF_03 =110,
VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE =109,
VID_NATT_RFC =108,