Create a Linux VPN for a Nokia E61 with Openswan

Create a virtual private network between your Nokia E61 phone and a Linux gateway.

One more complication exists for using some of the publicly available Wi-Fi hotspots. Depending on where on the globe you are, many of these hotspots follow the pattern that when you try to open a Web site, they redirect you to their Wi-Fi login page, you authenticate to them, and then you can use the Internet. If you simply open up a VPN access point on the e61 that is set to use the EasyWLAN as its Internet access point, things will not work. The e61 will start the Wi-Fi connection and immediately try to send data to set up a VPN connection. As you have to authenticate with the Wi-Fi hotspot before this, it will let traffic through, but then things will come crashing down.

A way to get around this is to open the Web browser and directly connect just using EasyWLAN without any VPN whatsoever. Once you have authenticated to the hotspot, leave the browser running and use the menu key to get back to the main menu, and then open the e-mail client. For the access point this time, use the VPN that has EasyWLAN set as its Internet access point. The existing Wi-Fi connection is reused, and the VPN is layered on top. To get secure Web browsing, you can then leave the e-mail program by holding the menu key and going back to the browser. Exit the browser, and the still-running e-mail program holds the VPN open. Start the browser again, and select the VPN as your access point.

Of course, if the Wi-Fi network you are connecting to allows connections without this preamble, opening any application that wants a data connection should allow you to select the new VPN as your access point. Also, if the Wi-Fi hotspot remembers your MAC address and allows reconnection without explicitly having to log in each time, you can start the VPN directly on subsequent connections.

Once the VPN has connected to vserv, the e61 prompts you for the user name and password to use for XAUTH verification (Figure 8).

After XAUTH verification, you should be able to use the VPN without noticing it. In this case, I can browse the Internet using my LANs proxy server to fetch the data (Figure 9).

Figure 8. Once the VPN is set up, XAUTH user name and password verification starts.

Figure 9. Success! We can read Linux Journal through the VPN link.

What's Next

Being able to use a DNS name in the e61 VPN policy would be wonderful for folks who don't have cheap access to static IP addresses. I'm still investigating how to connect using public key cryptography instead of the preshared key as shown in this article. For connecting a single e61 to the network, using a large enough preshared key should still be quite secure.

The information in the article comes with no guarantee of being correct, secure or suitable for anything; use it at your own risk and discretion.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Here is an article Going

Rick's picture

Here is an article Going mobile with VoIP and SymVPN:

It seems that there is no problem to use PPTP VPN with VoIP on Nokia phone, but I have doubt that IPSec VPN can provide needed speed.
Have you tried to use IPSec VPN with VoIP software on your Nokia E61? Is it actually possible to have normal VoIP conversation over IPSec VPN?

New HOWTO using modern kernel based IPSEC

Anonymous's picture

I just posted a new HOWTO for connecting nokia VPN to linux using the new kernel based IPSec (requires kernel 2.6.20+).
This is a pure linux solution, not needing any windows software. The HOWTO covers everything including setting up the linux iptables firewall.
Uses RSA authentication, XAUTH is trivial to add:

HOWTO connect Nokia VPN to GNU/Linux

comments welcome

How can I pass the DNS setting to my phone?

gomobi's picture

Thanks for the great instruction. I have successfully connected my N82 to the VPN gateway. The problem is that the DNS setting is not correctly passed to the phone, I also got DNS error. Could you please give some suggestion?

Thanks again.


a bit thick's picture

my missus thinks I'm a genius with computers and phones but i would need to be Einstein to follow this stuff.
Reading it makes me realise how inadequate I really am.
Isnt there a version u can just click a link and hey presto it's downloaded onto your phone ;)

To complicated, I have installed SymVPN instead.

Anonymous's picture

To complicated.
That is why I am using SymVPN.
It is not IPSec, and it is not Openswan, as it is PPTP based VPN. However it is worth it - 5 parameters to enter and it works in 30 sec.
No headache with policy file.
No headache with signing.
Yes, it is probably less secure then Openswan and IPSec, but at least it is working, but Nokia Mobile VPN it is the dead end road for 98% of all Nokia phone users. Sounds promising in the theory, but nothing works in practice.

Too expensive

Anonymous's picture

SymVPN may be great but I don't see the point in paying all that money for something that I can already do for free.

If SymVPN were $10 or something that might be worth it but currently it's ridiculously expensive for the tiny functionality it provides. Plus, if we're talking easy-to-use-and-secure VPN, I would prefer the more secure OpenVPN over PPTP anyway.

SymVPN all the way and it is not expensive at all.

Anonymous's picture

I would say it is way too cheap for me. Look, with help of SymvPN I have saved just in 1 month on long distance phone charges more money than I have paid for this software. That is why I will buy it even if it will cost 5 time more. I need SymVPN to use it with VoIP. Withour VPN I cannot use VoIP on phone in my country. Just count your money and see for yourself.

Unfortunately on FP2 S60v3

morphix's picture

Unfortunately on FP2 S60v3 devices, SymVPN doesn't work properly, pretty much not at all due to the "Destinations" access point settings available in FP2 only devices, that counts my Nokia N96 out :(

SymVPN works just fine with Destinations.

Anonymous's picture

I am using SymVPN v.2.00 on my Nokia 5800 and it works fine with "Destinations". Created VPN Access Point is placed in Uncategorised destination and after that you just have to to move it to any destination where you need it.

Thanks for really good

Anonymous's picture

Thanks for really good article!
Now days everything can be made more simple way with appearance of SymVPN from
SymVPN is PPTP VPN client for Series 60 3rd phones.

Installation instruction in German WIKI / Update

FreshSmith's picture

== '''NOKIA VPN Client mit Open Source strongSWAN''' ==


# StrongSwan mit öffentlicher IP Adresse
# Symbian makesis.exe zum Serstellen von SIS Installationspaketen
# Konfigurationsfiles für SIS VPN Paket


StrongSwan ipsec.conf anpassen und NAT Traversat (NAT-T) aktivieren. Dies ist wichtig, da viele Mobilfunkprovider intern noch einmal natten. Die zugeteilte IP Adresse am Telefon entspricht nicht der IP Adresse, die bei einem Verbingsaufbau beim StrongSWAN ankommt.

config setup
include /etc/ipsec.d/ipsec-conn-e61-mrobichon.fas
include /etc/ipsec.d/ipsec-conn-e61-njaixen.fas

Danach müssen in der ipsec.secerts der PSK Key hinterlegt werden:

'': PSK "xxxxxxxxxxxxxxxxxxxx"''

Falls XATH benutzt werden soll, hier wird bei der Initialisierung der Verbindung Username und Passwort abgefragt, dann sollte hier auch noch der entsprechende Eintrag mit Credentials hionterlagt werden:

'': XAUTH User "password"''

Nun kommen wir zu den Verbindungen. Hier wird es interessant. Im oberen Beispiel werden zwei Verbindungen in der ipsec.conf includiert. Die Konfiguration könnte so aussehen:

conn e61-mrobichon
# Key exchange
# Data exchange
# Authentication method PSK
# Modeconfig setting
# LEFT: serverseite
#Internes Netz, falls alles geroutet werden soll dann
# leftmodecfgserver=yes
#Falls XAUTH verwendet werden soll, dann diesen Eintrag aktivieren
# leftxauthserver=yes
# RIGHT: clientseite
# Right ID ist absolut wichtig, wenn meherere Verbindungen von
# unterschidlichen Clients aufgebaut werden sollen = FQDN (binär)
# rightxauthclient=yes
# rightmodecfgclient=yes
# virtuelle IP Adresse des IPSEC Tunnels pro Client und Connection

Parameter, die editiert werden müssen:

* leftsubnet= -- internes Netz
* rightid=@#4d6f62696c6547726f7570 -- in der Nokia pol (später) representiert die ID die FQDN und wird hier binär ausgedrückt. Am besten man lässt das Feld offen und probiert erst mal aus, welche ID übermittelt wird. Die kann man sehen, wenn man eine Verbindung aufbaut und in die messages reinschaut:
"e61-njaixen"[6] #9: Peer ID is ID_KEY_ID: '0x4d6f62696c6547726f7570'
das 0x wird durch @# ersetzt
* rightsourceip= -- virtuelle IP Adresse, die dem Client zugeordnet wird dasselbe mit dem rightsubnet (virtuelle Client IP + Subnetz localhost = 32)



Die Konfiguration besteht aus drei Dateien: pin, pkg, pol. Die Dateien müssen denselben Dateinamen haben. pin und pkg brauchen nicht editiert zu werden.
Als Beipiel hier die Konfigurationen:
VPN-Policy for Nokia Mobile VPN Client v3.0.
Do not edit
Do not edit


; - None (English only by default)

; - Only one component name is needed to support English only
; - UID is the UID of the VPN Policy Installer application
#{"VPN-Policy"},(0x1000597E), 1, 0, 0, TYPE=SA
;Localised Vendor name

;Unique Vendor name

; Policy file
; Policy-information file
; - NOTE: The policy-information file MUST be the last file in this list!
; - FM (FILEMIME) passes the file to the respective MIME handler
; (in this case, the VPN Policy Installer application).
FM, "application/x-ipsec-policy-info"
; - The VPN Policy Installer application
(0x1000597E), 1, 0, 0, {"VPN Policy Installer"}
; - S60 3rd Edition ID
[0x101F7961], 0, 0, 0, {"S60ProductID"}

sa ipsec_1 = {
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote #internes Netz
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
remote = { ipsec_1( } #internes Netz {StrongSWAN IP}
inbound = { }
outbound = { }
FQDN: MobileGrou2 #rightid (binär) in StrongSWAN Konfiguration
USE_XAUTH: FALSE #Falls XAUTH benutzt werden soll
KEY: 20 xxxxxxxxxxxxxxxxxxxx #Secret in ipsec.secrets


Erstellung der SIS Datei mit "makesis VPN-policy-preshared-Cisco.pkg" die SIS Datei wird erstellt. Danach einloggen auf [[]]
Hier auf den Link "Open Signed Online". Auf dieser Seite muss nun die IMEI des Mobiltelefons eingegeben werden, auf dem die Policy geladen werden soll *#06#. Mailadresse, an die der Link zur Apllikation gesendet wird und natürlich upload der SIS Datei, welche signiert werden soll. Man erhält eine Verifizierungsmail und kurz danach den Link zum Download der signierten Applikation.

Die Aplikation installiert man dann via PC Suite oder ähnliches direkt auf dem Mobiltelefon. Sollten IMEI nicht zusammen passen, dann muss das ganze nochmal erstellt werden. Nun geht man nach

System --> Einstellungen --> Verbindung --> VPN --> VPN Zugangspunkt

Verbindungsname frei wählbar
VPN-Richtline die gerade geladene Richtlinie (VPN-policy)
Internetzugangspunkt Providereinwahl

alle anderen Punkte so lassen.


Folgende Webseiten waren sehr hilfreich:


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState