I try to use my Nokia E71 with Openswan 2.4.x. Unfortunately the very same vpn/ipsec configuration that used to work with my old E60 does not work anymore. On these page I'll document what I've tried. Using XAUTH fixed the issue.

Most of the stuff is stolen from http://www.thorsten-knabe.de/linux/e61.jsp

Contact: vpn@paepstin.info

• 2008-12-07: 3G problems might be related to "Broken PMM-IDLE or FACH to DCH transtion(german)?"
• 2008-11-13: The past few weeks I've noticed that the VPN is quite stable using wifi, but with 3G connections it's quite bad. I usually breaks after the first rekeying. Maybe the connection will be better after the first firmware upgrade.
• 2008-09-09: smallmeter refered to some errors: http://discussions.europe.nokia.com/discussions/board/message?board.id=communicators&view=by_date_ascending&message.id=25220
• 2008-09-09: mjk2000 claims that the new VPN Client update will work without XAUTH. http://discussions.europe.nokia.com/discussions/board/message?board.id=communicators&thread.id=22142 I haven't verified that yet.
• 2008-08-22: Changed rekey=yes to rekey=no. Phone will initiate rekeying after 3600s. Should succeed till end of ikelifetime of 8h. After that, the VPN connection will break, no idea why.
• 2008-08-22: Explained the patch New NAT traversal preference

If you need NAT-t you should change the vendor.h as describe in New NAT traversal preference.

I used the pkitool from http://www.openvpn.net

• adjust vars
• . vars (source vars)
• ./clean-all (clean keys)
• ./pkitool –initca (initialize root ca)
  • → keys/ca.crt
• ./pkitool –server fqdngw (generate server certificate for use on the gateway)
  • → keys/fqdngw.key
  • → keys/fqdngw.crt
• ./pkitool fqdncl (generate a client certificate)
  • → keys/fqdncl.key
  • → keys/fqdncl.crt

Merging client certificate and client private key in one pkcs#12 file:

openssl  pkcs12 -export -in fqdncl.crt -inkey fqdncl.key -out fqdncl.p12

Converting the root ca from pem to der:

openssl x509 -inform PEM -outform DER -in ca.crt -out ca.cer

I tried pre shared key and certificate based authentication.

ipsec.secrets

: PSK "mypassword"
: RSA /etc/ipsec.d/private/fqdngw.key

PSK should be self-explanatory. RSA it the unencrypted private key of the gateway certificate.

e71.conf - PSK

Uncomment XAUTH and it will work.

conn E61
        # Key exchange
        ike=aes256-sha1-modp1536
        # Data exchange
        esp=aes256-sha1
        # Authentication method PSK
        authby=secret
        auto=add
        keyingtries=10
        rekey=no
        #keylife=3600s
        ikelifetime=8h
        pfs=no
        # Modeconfig setting
        modecfgpull=yes
        # local endpoint
        left=<gateway ip>
        leftxauthserver=yes
        leftmodecfgserver=yes
        leftsourceip=10.28.39.1
        leftsubnet=0.0.0.0/0
        # remote endpoint
        right=%any
        rightxauthclient=yes
        rightmodecfgclient=yes
        rightsourceip=10.28.39.2
        rightsubnet=10.28.39.2/32

e71.conf - RSA

conn E61
        # Key exchange
        ike=aes256-sha1-modp1536
        # Data exchange
        esp=aes256-sha1
        # Authentication method PSK
        authby=rsasig
        auto=add
        keyingtries=10
        rekey=no
        #keylife=3600s
        ikelifetime=8h
        pfs=no
        # Modeconfig setting
        modecfgpull=yes
        # local endpoint
        left=91.143.80.246
        leftxauthserver=yes
        leftmodecfgserver=yes
        leftsourceip=10.28.39.1
        leftsubnet=0.0.0.0/0
        leftrsasigkey=%cert
        leftcert=fqdngw.pem
        # remote endpoint
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightxauthclient=yes
        rightmodecfgclient=yes
        rightsourceip=10.28.39.2
        rightsubnet=10.28.39.2/32

• copy fqdngw.key to /etc/ipsec.d/private/
• copy fqdngw.crt to /etc/ipsec.d/certs/
• copy ca.crt to /etc/ipsec.d/cacerts/

The path might differ on other distributions.

Good news, it's now much easier to create a policy file:

zip mynewpolicy.zip mynewpolicy.pol mynewpolicy.pin
mv mynewpolicy.zip mynewpolicy.vpn

and with certificates:

zip mynewpolicy.zip mynewpolicy.pol mynewpolicy.pin ca.der fqdncl.p12
mv mynewpolicy.zip mynewpolicy.vpn

Move mynewpolicy.vpn to the mobile an start it. Your done.

set USE_XAUTH: TRUE

SECURITY_FILE_VERSION: 3
[INFO]
keyvpn
[POLICY]
sa ipsec_1 = {
 esp
 encrypt_alg 12
 max_encrypt_bits 256
 auth_alg 3
 identity_remote 0.0.0.0/0
 src_specific
 hard_lifetime_bytes 0
 hard_lifetime_addtime 3600
 hard_lifetime_usetime 3600
 soft_lifetime_bytes 0
 soft_lifetime_addtime 3600
 soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(<gatewayip>) }
inbound = { }
outbound = { }
[IKE]
ADDR: <gatewayip> 255.255.255.255
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: scheff32
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 8 PASSWORD

set USE_XAUTH: TRUE

SECURITY_FILE_VERSION: 3
[INFO]
certvpn
[POLICY]
sa ipsec_1 = {
 esp
 encrypt_alg 12
 max_encrypt_bits 256
 auth_alg 3
 identity_remote 0.0.0.0/0
 src_specific
 hard_lifetime_bytes 0
 hard_lifetime_addtime 3600
 hard_lifetime_usetime 3600
 soft_lifetime_bytes 0
 soft_lifetime_addtime 3600
 soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(<gatewayip>) }
inbound = { }
outbound = { }
[IKE]
ADDR: <gatewayip> 255.255.255.255
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 9
FQDN: scheff32
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: RSA_SIGNATURES
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
CAs: 1
FORMAT: BIN
DATA: certvpn-ca.cer
OWN_CERTS:
FORMAT: BIN
DATA: user-1.cer
PRIVATE_KEY_FORMAT: BIN
PRIVATE_KEY_DATA: user-1.key

[POLICYNAME]
certvpn
[POLICYDESCRIPTION]
Certificatebased
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit

[POLICYNAME]
keyvpn
[POLICYDESCRIPTION]
spezial
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit

The openswan logs of the previous setups:

pre-shared key

Jul 12 12:26:06 gateway pluto[15771]: packet from <publicclientip>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=118 
Jul 12 12:26:06 gateway pluto[15771]: packet from <publicclientip>:500: received Vendor ID payload [RFC 3947] meth=101, but already using method 118
Jul 12 12:26:06 gateway pluto[15771]: packet from <publicclientip>:500: received Vendor ID payload [XAUTH]
Jul 12 12:26:06 gateway pluto[15771]: packet from <publicclientip>:500: received Vendor ID payload [Cisco-Unity]
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] <publicclientip> #1: responding to Main Mode from unknown peer <publicclientip>
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] <publicclientip> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 12:26:06 gateway pluto[15771]: "E61"[1] <publicclientip> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: ignoring unknown Vendor ID payload [973b189b10687655bf998b0553b767c3]
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 12 12:26:07 gateway pluto[15771]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: Main mode peer ID is ID_KEY_ID: '@#0x7363686566663332'
Jul 12 12:26:07 gateway pluto[15771]: "E61"[1] <publicclientip> #1: switched from "E61" to "E61"
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] <publicclientip> #1: deleting connection "E61" instance with peer <publicclientip> {isakmp=#0/ipsec=#0}
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] <publicclientip> #1: I did not send a certificate because I do not have one.
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] <publicclientip> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 12:26:07 gateway pluto[15771]: "E61"[2] <publicclientip> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}

certificate

Jul 12 12:27:33 gateway pluto[16034]: packet from <publicclientip>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=118 
Jul 12 12:27:33 gateway pluto[16034]: packet from <publicclientip>:500: received Vendor ID payload [RFC 3947] meth=101, but already using method 118
Jul 12 12:27:33 gateway pluto[16034]: packet from <publicclientip>:500: received Vendor ID payload [XAUTH]
Jul 12 12:27:33 gateway pluto[16034]: packet from <publicclientip>:500: received Vendor ID payload [Cisco-Unity]
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] <publicclientip> #1: responding to Main Mode from unknown peer <publicclientip>
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] <publicclientip> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 12:27:33 gateway pluto[16034]: "E61"[1] <publicclientip> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] <publicclientip> #1: ignoring unknown Vendor ID payload [108b9004aa90a56ab85f7987ca2726b7]
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] <publicclientip> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] <publicclientip> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 12:27:34 gateway pluto[16034]: "E61"[1] <publicclientip> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 12 12:27:35 gateway pluto[16034]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] <publicclientip> #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=BW, L=Karlsruhe, O=scheff32.de, CN=flunder.scheff32.de, E=cert@scheff32.de'
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] <publicclientip> #1: no crl from issuer "C=DE, ST=BW, L=Karlsruhe, O=scheff32.de, CN=scheff32.de CA, E=cert@scheff32.de" found (strict=no)
Jul 12 12:27:35 gateway pluto[16034]: "E61"[1] <publicclientip> #1: switched from "E61" to "E61"
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] <publicclientip> #1: deleting connection "E61" instance with peer <publicclientip> {isakmp=#0/ipsec=#0}
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] <publicclientip> #1: I am sending my cert
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] <publicclientip> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 12:27:35 gateway pluto[16034]: "E61"[2] <publicclientip> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}

It does not work with the E51 and the E71. The pre-shared setup works on my E60.

--- openswan-2.4.6/programs/pluto/xauth.c       2005-07-26 04:11:23.000000000 +0200
+++ openswan-2.4.6+dfsg.2/programs/pluto/xauth.c        2006-12-17 16:34:55.000000000 +0100
@@ -137,6 +137,28 @@
 }
 #endif
 
+/**
+ * Get IP address from environment variable
+ * @param var Environment Variable to get the IP address from.  Usually IPADDR, DNS[12], WINS[12]
+ * @param addr Pointer to var where you want IP address stored
+ * @return int Return code
+ */
+static
+int get_addr_env(const char *var,ip_address *addr)
+{
+       const char *c;
+       int retval;
+
+       c = getenv(var);
+       if(c == NULL)
+       {
+               c="0.0.0.0";
+       }
+       retval = inet_pton(AF_INET,c,(void*) &addr->u.v4.sin_addr.s_addr);
+       addr->u.v4.sin_family = AF_INET;
+       return (retval > 0);
+}
+
 oakley_auth_t xauth_calcbaseauth(oakley_auth_t baseauth)
 {
   switch(baseauth) {
@@ -239,6 +261,10 @@
            }
 #endif
     }
+    get_addr_env("DNS1", &ia->dns[0]);
+    get_addr_env("DNS2", &ia->dns[1]);
+    get_addr_env("WINS2", &ia->wins[0]);
+    get_addr_env("WINS2", &ia->wins[1]);
     return 0;
 } 

Located in ./programs/pluto/vendor.h

Assign VID_NATT_IETF_03 a higher number than any other nat traversal method. It seems that openswan AND/OR the Nokia VPN Client is not RFC compliant. With all NATs that I've testet VID_NATT_IETF_03 was successfull.

  /* 101 - 200 : NAT-Traversal */
  VID_NATT_STENBERG_01       =101,
  VID_NATT_STENBERG_02       =102,
  VID_NATT_HUTTUNEN          =103,
  VID_NATT_HUTTUNEN_ESPINUDP =104,
  VID_NATT_IETF_00           =105,
  VID_NATT_IETF_02_N         =106,
  VID_NATT_IETF_02           =107,
  VID_NATT_IETF_03           =110,
  VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE   =109,
  VID_NATT_RFC               =108,