This article adds some findings and cleanups to the previous VPN article.

• The NAT patch is still required for the latest firmware/mobile client. NAT-T acccording to RFC 3947 is not working properly.
  • Tested with E71 and Openswan 2.4.12. Bothj sides behind NAT
• IKE SA rekeying seems not to work. Doesn't matter who initiates it.
• IPSec SA rekeying seems to work, when the mobile initiate it, while the IPSec SA is still valid at openswan. If the IPSec SA is expired there, the connection won't recover after the lifetime expires.
• soft_lifetime* settings seems to be ignored.

I tried to simplify and clean up the config. I've also imported and exported the configuration file with the Nokia Policy Manager.

SECURITY_FILE_VERSION: 1
[INFO]
ipsec-demeter
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 28800
hard_lifetime_usetime 28800
soft_lifetime_bytes 0
soft_lifetime_addtime 28800
soft_lifetime_usetime 28800
replay_win_len 0
pfs
}

remote 0.0.0.0 0.0.0.0 = { ipsec_1(91.143.80.246) }
inbound = { } 
outbound = { } 

[IKE]
ADDR: 91.143.80.246 255.255.255.255
IKE_VERSION: 
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 9
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: FALSE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: FALSE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
DPD_HEARTBEAT: 60
OWN_CERT_TYPE: DEVICE
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: RSA_SIGNATURES
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE
CAs: 1
  FORMAT: BIN
  DATA: ca.cer
OWN_CERTS: 
  FORMAT: BIN
  DATA: user-1.cer
  PRIVATE_KEY_FORMAT: BIN
  PRIVATE_KEY_DATA: user-1.key

Changes:

• removed: FQDN unecessary
• changed: REPLAY_STATUS to FALSE. Openswan ignores this message
• changed: USE_XAUTH to FALSE. It's not necessary anymore and doesn't add much security anyway.
• added: DPD_HEARTBEAT: 60, maybe helpfull to detect broken connections. Don't know yet if it's useful.
• added: OWN_CERT_TYPE: DEVICE. No passphrase is necessary to access the private key. It's quite risky, you should use the phone password. But I prefere a connection without user interaction.
• changed: LIFETIME_SECONDS: 86400 set to the maxium. I assume that rekeying that doesn't work. 24h should be enough for mobile clients.
• changes: hard_lifetime_*time 28800 and soft_lifetime_*time 28800. Cause there is a small interruption during rekeying, I've increased this value to 8h.

The rest is pretty much unchanged. For upgrade I propose to remove all old certificates and vpn policies, restart the phone, install the new policy and restart the phone again I've seen several strange issues, until I restarted the phone.

Global config:

version 2.0
config setup
        nat_traversal=yes
        nhelpers=0

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
#Include all roadwarriors
include /etc/ipsec.d/clients/rw/*.conf
#Options common to all warriors.
include /etc/ipsec.d/clients/rw-default.conf

default:

conn rw-default
        authby=rsasig
        rekey=no
        ikelifetime=86400s
        keylife=86400s
        left=10.0.0.8
        leftsubnet=0.0.0.0/0
        leftmodecfgserver=yes
        right=%any
        rightmodecfgclient=yes
        modecfgpull=yes
        type=tunnel
        leftcert=ipsec-gw.cert
        rightrsasigkey=%cert
        rightca=%same
        auto=add
        dpddelay=300
        dpdtimeout=120
        dpdaction=clear

roadwarrior:

conn e71-demeter
        rightsourceip=<IP>
        rightsubnet=<IP>/32
        rightid="<Certificate DN>"
        also=rw-default