Loading
Create a Linux VPN for a Nokia E61 with Openswan
Create a virtual private network between your Nokia E61 phone and a Linux gateway.
A virtual private network (VPN) allows you to send traffic across an untrusted network without exposing the content of that traffic. Conceptually, this is done by creating a pipe between two hosts where all network traffic transferred is protected by cryptography.
The example in this article is connecting a Nokia E61 device to a home network through a VPN over the Internet. The Nokia E61 is a smartphone that has Wi-Fi support as well as a VPN client. A similar procedure might work for other phone models using the same VPN client software, though the hardware was not on hand to test this. The Linux side was run on Fedora Linux 6; other distros might have slight path and package name changes.
The VPN support on the Nokia E61 uses IP security (IPSec). Openswan is an IPSec server that is configured on the Linux machine to provide the other end of the virtual network.
I should mention one caveat up front: I've been unable to configure the VPN client on the phone to connect to a server that does not have a static IP address.
To keep notation simple, I refer to the phone as e61 and the server running Openswan as vserv. The IP address of the e61 is irrelevant to the article, as you likely will be moving around to different Wi-Fi hotspots with the phone. When a VPN is set up, the e61 gets another IP address, which the e61 refers to as the virtual IP address. Once the VPN is set up, this virtual IP address is where all traffic to and from the e61 is sent. For this article, I use a 192.168.x.x IP address for this e61 VPN address. As the non-VPN IP address of the e61 is mostly irrelevant, unless I explicitly mention otherwise, the e61 IP address will be this non-Internet-routable IP address.
Unlike the other network settings on the phone, you cannot configure the VPN manually using the e61 itself. You have to create a package containing all the information about the VPN and install that package on the phone. These packages are the SIS files. A VPN SIS file also must be digitally signed before the e61 will allow you to install it. Signed SIS files normally have an sisx extension. The most difficult part of setting up the e61 to talk to Openswan is in creating the sisx file to install on the phone.
The SIS file still must be digitally signed, even if you have set the configuration parameter Software installation to All in App Mgr/Options/Settings.
The sisx package is composed of three files. Two of these are boilerplate-type package metadata (the VPN.pin and VPN.pkg files).
Getting the boilerplate files out of the way, the VPN.pin file is mostly uninteresting and is shown in Listing 1, and the VPN.pkg file is shown in Listing 2. Both files should work fine without any changes. Note that the paths shown in Listing 2 are to be interpreted relative to the phone itself and should not be changed.
The VPN.pol file shown in Listing 3 defines the meat of how to connect to the VPN and what key to use for authentication.
Some things need to be changed in VPN.pol before using it. The main changes are the static IP address of the Openswan server (192.168.0.1) and the password to use to connect. The server's IP address appears more than once in the configuration file. To avoid any confusion about virtual IP addresses mentioned above, this IP address is the one from which vserv can be reached publicly from the Internet. The password is in the last field: the KEY. The number is the string length of the key that follows after a space.
If USE_XAUTH is set to true, when establishing the VPN connection the e61 prompts you for a user name and password with which to connect. This provides an additional level of security. In the event that the e61 is stolen, the thief will have to know your user name and password in order to access your VPN.
Openswan can use either PAM or a separate config file to test the user name and password on the server (more on this later).
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Reply to comment | Linux Journal
2 hours 50 min ago - Nice article, thanks for the
13 hours 30 min ago - I once had a better way I
19 hours 16 min ago - Not only you I too assumed
19 hours 34 min ago - another very interesting
21 hours 27 min ago - Reply to comment | Linux Journal
23 hours 20 min ago - Reply to comment | Linux Journal
1 day 6 hours ago - Reply to comment | Linux Journal
1 day 6 hours ago - Favorite (and easily brute-forced) pw's
1 day 8 hours ago - Have you tried Boxen? It's a
1 day 14 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Featured Jobs
| Linux Systems Administrator | Houston and Austin, Texas | Host Gator |
| Senior Perl Developer | Austin, Texas | Host Gator |
| Technical Support Rep | Houston and Austin, Texas | Host Gator |
| UX Designer | Austin, Texas | Host Gator |
| Web & UI Developer (JavaScript & j Query) | Austin, Texas | Host Gator |
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Here is an article Going
Here is an article Going mobile with VoIP and SymVPN:
http://gonedigital.net/2010/06/05/going-mobile-with-voip-and-symvpn/
It seems that there is no problem to use PPTP VPN with VoIP on Nokia phone, but I have doubt that IPSec VPN can provide needed speed.
Have you tried to use IPSec VPN with VoIP software on your Nokia E61? Is it actually possible to have normal VoIP conversation over IPSec VPN?
New HOWTO using modern kernel based IPSEC
I just posted a new HOWTO for connecting nokia VPN to linux using the new kernel based IPSec (requires kernel 2.6.20+).
This is a pure linux solution, not needing any windows software. The HOWTO covers everything including setting up the linux iptables firewall.
Uses RSA authentication, XAUTH is trivial to add:
HOWTO connect Nokia VPN to GNU/Linux
comments welcome
Shai
How can I pass the DNS setting to my phone?
Thanks for the great instruction. I have successfully connected my N82 to the VPN gateway. The problem is that the DNS setting is not correctly passed to the phone, I also got DNS error. Could you please give some suggestion?
Thanks again.
complicated
my missus thinks I'm a genius with computers and phones but i would need to be Einstein to follow this stuff.
Reading it makes me realise how inadequate I really am.
Isnt there a version u can just click a link and hey presto it's downloaded onto your phone ;)
To complicated, I have installed SymVPN instead.
To complicated.
That is why I am using SymVPN.
It is not IPSec, and it is not Openswan, as it is PPTP based VPN. However it is worth it - 5 parameters to enter and it works in 30 sec.
No headache with policy file.
No headache with signing.
Yes, it is probably less secure then Openswan and IPSec, but at least it is working, but Nokia Mobile VPN it is the dead end road for 98% of all Nokia phone users. Sounds promising in the theory, but nothing works in practice.
Too expensive
SymVPN may be great but I don't see the point in paying all that money for something that I can already do for free.
If SymVPN were $10 or something that might be worth it but currently it's ridiculously expensive for the tiny functionality it provides. Plus, if we're talking easy-to-use-and-secure VPN, I would prefer the more secure OpenVPN over PPTP anyway.
SymVPN all the way and it is not expensive at all.
I would say it is way too cheap for me. Look, with help of SymvPN I have saved just in 1 month on long distance phone charges more money than I have paid for this software. That is why I will buy it even if it will cost 5 time more. I need SymVPN to use it with VoIP. Withour VPN I cannot use VoIP on phone in my country. Just count your money and see for yourself.
Unfortunately on FP2 S60v3
Unfortunately on FP2 S60v3 devices, SymVPN doesn't work properly, pretty much not at all due to the "Destinations" access point settings available in FP2 only devices, that counts my Nokia N96 out :(
SymVPN works just fine with Destinations.
I am using SymVPN v.2.00 on my Nokia 5800 and it works fine with "Destinations". Created VPN Access Point is placed in Uncategorised destination and after that you just have to to move it to any destination where you need it.
Thanks for really good
Thanks for really good article!
Now days everything can be made more simple way with appearance of SymVPN from www.telexy.com
SymVPN is PPTP VPN client for Series 60 3rd phones.
Installation instruction in German WIKI / Update
== '''NOKIA VPN Client mit Open Source strongSWAN''' ==
'''Voraussetzungen:'''
# StrongSwan mit öffentlicher IP Adresse
# Symbian makesis.exe zum Serstellen von SIS Installationspaketen
# Konfigurationsfiles für SIS VPN Paket
'''Konfiguration:'''
'''''StrongSWAN'''''
StrongSwan ipsec.conf anpassen und NAT Traversat (NAT-T) aktivieren. Dies ist wichtig, da viele Mobilfunkprovider intern noch einmal natten. Die zugeteilte IP Adresse am Telefon entspricht nicht der IP Adresse, die bei einem Verbingsaufbau beim StrongSWAN ankommt.
''
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=none
nat_traversal=yes
include /etc/ipsec.d/ipsec-conn-e61-mrobichon.fas
include /etc/ipsec.d/ipsec-conn-e61-njaixen.fas
''
Danach müssen in der ipsec.secerts der PSK Key hinterlegt werden:
'': PSK "xxxxxxxxxxxxxxxxxxxx"''
Falls XATH benutzt werden soll, hier wird bei der Initialisierung der Verbindung Username und Passwort abgefragt, dann sollte hier auch noch der entsprechende Eintrag mit Credentials hionterlagt werden:
'': XAUTH User "password"''
Nun kommen wir zu den Verbindungen. Hier wird es interessant. Im oberen Beispiel werden zwei Verbindungen in der ipsec.conf includiert. Die Konfiguration könnte so aussehen:
''
conn e61-mrobichon
# Key exchange
ike=aes256-sha1-modp1536
# Data exchange
esp=aes256-sha1
# Authentication method PSK
authby=secret
#authby=xauthpsk
auto=start
keyingtries=3
# Modeconfig setting
modeconfig=pull
pfs=no
rekey=no
# LEFT: serverseite
#leftid=0.0.0.0/0
left=%defaultroute
#Internes Netz, falls alles geroutet werden soll dann 0.0.0.0
leftsubnet=172.16.25.0/24
#leftsubnet=0.0.0.0/0
leftrsasigkey=none
# leftmodecfgserver=yes
#Falls XAUTH verwendet werden soll, dann diesen Eintrag aktivieren
# leftxauthserver=yes
xauth=server
# RIGHT: clientseite
rightrsasigkey=none
right=%any
# Right ID ist absolut wichtig, wenn meherere Verbindungen von
# unterschidlichen Clients aufgebaut werden sollen = FQDN (binär)
rightid=@#4d6f62696c6547726f7570
# rightxauthclient=yes
# rightmodecfgclient=yes
# virtuelle IP Adresse des IPSEC Tunnels pro Client und Connection
rightsourceip=192.168.44.1
rightsubnet=192.168.44.1/32
''
Parameter, die editiert werden müssen:
* leftsubnet=172.16.25.0/24 -- internes Netz
* rightid=@#4d6f62696c6547726f7570 -- in der Nokia pol (später) representiert die ID die FQDN und wird hier binär ausgedrückt. Am besten man lässt das Feld offen und probiert erst mal aus, welche ID übermittelt wird. Die kann man sehen, wenn man eine Verbindung aufbaut und in die messages reinschaut:
"e61-njaixen"[6] 92.116.229.249 #9: Peer ID is ID_KEY_ID: '0x4d6f62696c6547726f7570'
das 0x wird durch @# ersetzt
* rightsourceip=192.168.44.1 -- virtuelle IP Adresse, die dem Client zugeordnet wird dasselbe mit dem rightsubnet (virtuelle Client IP + Subnetz localhost = 32)
'''''NOKIA'''''
'''Konfigurationsdateien:'''
Die Konfiguration besteht aus drei Dateien: pin, pkg, pol. Die Dateien müssen denselben Dateinamen haben. pin und pkg brauchen nicht editiert zu werden.
Als Beipiel hier die Konfigurationen:
VPN-policy-preshared-Cisco.pin
''
[POLICYNAME]
VPN-Policy
[POLICYDESCRIPTION]
VPN-Policy for Nokia Mobile VPN Client v3.0.
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit
''
VPN-policy-preshared-Cisco.pkg
''
;
; A VPN POLICY PACKAGE
;
; LANGUAGES
; - None (English only by default)
; INSTALLATION HEADER
; - Only one component name is needed to support English only
; - UID is the UID of the VPN Policy Installer application
#{"VPN-Policy"},(0x1000597E), 1, 0, 0, TYPE=SA
;Localised Vendor name
%{"pip-EN"}
;Unique Vendor name
:"pip"
; LIST OF FILES
; Policy file
"VPN-policy-preshared-Cisco.pol"-"C:\System\Data\Security\Install\VPN-policy-preshared-Cisco.pol"
; Policy-information file
; - NOTE: The policy-information file MUST be the last file in this list!
; - FM (FILEMIME) passes the file to the respective MIME handler
; (in this case, the VPN Policy Installer application).
"VPN-policy-preshared-Cisco.pin"-"C:\System\Data\Security\Install\VPN-policy- preshared-Cisco.pin",
FM, "application/x-ipsec-policy-info"
; REQUIRED FILES
; - The VPN Policy Installer application
(0x1000597E), 1, 0, 0, {"VPN Policy Installer"}
; - S60 3rd Edition ID
[0x101F7961], 0, 0, 0, {"S60ProductID"}
''
VPN-policy-preshared-Cisco.pol
''
SECURITY_FILE_VERSION: 3
[INFO]
VPN
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 172.16.25.0/24 #internes Netz
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 172.16.25.0 255.255.255.0 = { ipsec_1(xxx.xxx.xxx.xxx) } #internes Netz {StrongSWAN IP}
inbound = { }
outbound = { }
[IKE]
ADDR: xxx.xxx.xxx.xxx 255.255.255.255 #StrongSWAN IP
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: MobileGrou2 #rightid (binär) in StrongSWAN Konfiguration
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: FALSE #Falls XAUTH benutzt werden soll
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 20 xxxxxxxxxxxxxxxxxxxx #Secret in ipsec.secrets
''
'''Installtion'''
Erstellung der SIS Datei mit "makesis VPN-policy-preshared-Cisco.pkg" die SIS Datei wird erstellt. Danach einloggen auf [[https://www.symbiansigned.com/app/page]]
Hier auf den Link "Open Signed Online". Auf dieser Seite muss nun die IMEI des Mobiltelefons eingegeben werden, auf dem die Policy geladen werden soll *#06#. Mailadresse, an die der Link zur Apllikation gesendet wird und natürlich upload der SIS Datei, welche signiert werden soll. Man erhält eine Verifizierungsmail und kurz danach den Link zum Download der signierten Applikation.
Die Aplikation installiert man dann via PC Suite oder ähnliches direkt auf dem Mobiltelefon. Sollten IMEI nicht zusammen passen, dann muss das ganze nochmal erstellt werden. Nun geht man nach
System --> Einstellungen --> Verbindung --> VPN --> VPN Zugangspunkt
Verbindungsname frei wählbar
VPN-Richtline die gerade geladene Richtlinie (VPN-policy)
Internetzugangspunkt Providereinwahl
alle anderen Punkte so lassen.
Fertig.
Folgende Webseiten waren sehr hilfreich:
#[[http://www.thorsten-knabe.de/linux/e61.jsp]]
#[[http://pipip.de/other.php?sub=nokia_vpn]]
#[[http://cratoo.de/2007/10/09/howto-wie-verbindung-mit-dem-nokia-e61i-per-vpn-aufbauen]]
#[[http://www.linuxjournal.com/article/9646]]