VPN: Symbian S60v3FP1-cellphone against OpenBSD 4.2 with certificates - BSD

This is a discussion on VPN: Symbian S60v3FP1-cellphone against OpenBSD 4.2 with certificates - BSD ; Hi, anybody ever managed to connect a Nokia Cellphone (in my case the Nokia E90 communicator) against an OpenBSD 4.2 based VPN with certificates? If so: what kind of settings did you use with the "Nokia Mobile VPN Client Policy ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: VPN: Symbian S60v3FP1-cellphone against OpenBSD 4.2 with certificates

  1. VPN: Symbian S60v3FP1-cellphone against OpenBSD 4.2 with certificates

    Hi,

    anybody ever managed to connect a Nokia Cellphone (in my case the
    Nokia E90 communicator) against an OpenBSD 4.2 based VPN with
    certificates? If so: what kind of settings did you use with the "Nokia
    Mobile VPN Client Policy Tool" (see: http://www.businesssoftware.nokia.co..._downloads.php
    ) ?

    My OpenBSD configuration seems to be okay. I managed to connect a Test-
    Notebook using the Shrewsoft VPN-Client 2.1.1 successfully to the
    OpenBSD-Box using Certificates.

    Using Debugging I get messages like:
    ----- cut here ----
    031735.781606 Default rsa_sig_decode_hash: SIG payload length does not
    match public key
    031735.781869 Default dropped message from a.b.c.d port 500 due to
    notification type INVALID_ID_INFORMATION
    ----- cut here ----
    but I'm not sure if those messages actually are my problem or the just
    the result of an error I didn't yet see. Anyway I don't know how I can
    fix this problem and having tried for hours now I feel sort of like a
    dumbass :-(

    Anybody out there who can help?

    Regards

  2. Re: VPN: Symbian S60v3FP1-cellphone against OpenBSD 4.2 withcertificates

    Hi all,

    ok, I got a bit further. Sorry I'm not that experienced with IPSEC on
    OpenBSD. I now have the following configuration:
    ---------------------- snip --------------------------
    ike passive esp tunnel from any to 192.168.3.0/24 local
    armamix.dorfplatz \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes group none srcid armamix.dorfplatz psk
    mysecretpwd tag vpn_$id
    ike passive esp tunnel from any to 192.168.1.2 local armamix.dorfplatz
    \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes group none srcid armamix.dorfplatz psk
    mysecretpwd tag vpn_$id
    --------------------- snip ---------------------------

    I now can see traffic going thru the tunnel and coming back.
    Unfortunately my firewall always tells the road warrior that the IP it
    wants to reach is unreachable. See the following tcpdump:

    ---------------------- snip ---------------------
    21:50:24.760625 (authentic,confidential): SPI 0x7ddefb10:
    10.129.196.1.39892 > 192.168.3.151.3389: P 48:416(368) ack 12 win
    65218 (DF) (encap)
    21:50:24.766522 (authentic,confidential): SPI 0x78916094:
    192.168.3.151.3389 > 10.129.196.1.39892: P 12:337(325) ack 416 win
    63825 (DF) (encap)
    21:50:25.160969 (authentic,confidential): SPI 0x7ddefb10:
    10.129.196.1.39892 > 192.168.3.151.3389: P 416:428(12) ack 337 win
    64893 (DF) (encap)
    21:50:25.161403 (authentic,confidential): SPI 0x78916094: 192.168.1.2
    > 10.129.196.1: icmp: host 192.168.3.151 unreachable (encap)

    21:50:27.380852 (authentic,confidential): SPI 0x7ddefb10:
    10.129.196.1.39892 > 192.168.3.151.3389: P 416:436(20) ack 337 win
    64893 (DF) (encap)
    21:50:27.381266 (authentic,confidential): SPI 0x78916094: 192.168.1.2
    > 10.129.196.1: icmp: host 192.168.3.151 unreachable (encap)

    ---------------------- snip --------------------------

    What happens here? The Firewall (you see it here as 192.168.1.2) is
    also directly connected to 192.168.3.151 as it has an interface in
    192.168.3.x. Why does the firewall thinks that 192.168.3.151 is
    unreachable?
    Another thing which is weird: If I'm using a Notebook instead of the
    Cellphone, everything works without any problem !!! Then I don't get
    any Unreachables !!! Doing ipsecctl -m didn't show that much of a
    difference in both connections.

    I simply don't understand.

    Anyone out there, any idea which can help?
    I'd appreciate it.

    Regards

+ Reply to Thread