Cached from:
http://www.thorsten-knabe.de/linux/e61.jsp
Connecting the Nokia E61 Mobile VPN client to a Linux OpenSwan IPSEC
gateway
This page describes how to configure and setup the Nokia E61 Mobile VPN
client and Linux Openswan IPSEC gateway to establish an encrypted IPSEC tunnel
between the two devices. The procedure described herein should work for other
mobile devices equipped with a Nokia Mobile VPN Client as well, especially
Symbian S60 3rd edition based mobile phones, but has not been tested.
Legal advice: This page contains links to external internet sites
containing additional information, that might be helpful in the course of
setting up the IPSEC tunnel. I have no influence on the content and disclaim
any responsibilty for the content provided by those external internet sites.
All information on this page is provided as is without any warranty. I am not
responsible or liable for any damage caused by following the steps
described below. If you damage your phone, it is your fault not mine!
Prerequisites
Linux prerequisites
For my setup I chose a vanilla Linux 2.6.19.1 with IPSEC support and
OpenSwan 2.4.6 from Debian testing. Other kernels, distributions and OpenSwan
versions could work as well but have not been tested.
E61 prerequisites
In oder to establish a VPN connection from the Nokia Mobile VPN client, a
policy file has to be uploaded to the phone. For some reason, such a policy
file cannot be uploaded directly to the phone, but has to be packed into a
signed SIS file first. To create such a signed SIS file, you need a
developer certificate and two Windows executables from the S60 Platform
SDK for Symbian OS for C++ 3rd edition.
Luckily those two Windows executables and the Windows executable to create
the developer certificate run happily using Wine under Linux.
The S60 Platform SDK for Symbian OS for C++ 3rd edition is available
from http://www.forum.nokia.com
-> Tools & SDKs
-> C++ for Symbian OS Tools and SDKs ->
S60 Platform for Symbian OS -> 3rd Edition. To unpack the SDK under Linux
follow the instructions on
Rudolf Königs page.
A free developer cetificate and the Windows executable to create such a
certificate is available from https://www.symbiansigned.com. Follow the steps on
this site to obtain a valid developer certificate. Afterwards you should have
a .key and a corresponding .cer file which are later
required to sign the SIS file containing the VPN policy file.
Configuration
Before you start configuration, you should collect the following
information, which are required during the configuration process. The actual
values are replaced by the following placeholders in the example
configuration files below:
<group name>: Group name for IKE phase 1. This value is ignored
by the current OpenSwan configuration.
<group password>: Group password for IKE phase 1. Choose a good
password for this parameter and keep it secret as it is the only thing
needed to know to get access to your internal network if you do not use
XAUTH authentication.
<strlen(group password)>: Length of group password
<external gateway>: External static IP address of the
OpenSwan gateway. This address is used for authentication and encrypted
data exchange.
<internal gateway>: Internal IP address of the
OpenSwan gateway. This address is used when sending packets from the VPN
gateway through the VPN tunnel to the client.
<internal client>: Internal IP address assigned to the VPN
client. This address is used by the client when sending packets through
the VPN tunnel.
<key password>: The password of your developer key from
www.symbiansigned.com.
OpenSwan configuration
On Debian there are 3 files that have to be edited or created in order to
configure OpenSwan as a VPN gateway for the Nokia Mobile VPN client.
/etc/ipsec.secrets
Add a wildcard PSK (Pre-Shared Key) entry to your ipsec.secrets file.
Afterwards your ipsec.secrets file should look like this:
: PSK "<group password>"
/etc/ipsec.conf
Add an include directive to the ipsec.conf configuration file.
The included file contains the actual configuration for the newly created
connection to the Mobile VPN client. Afterwards your ipsec.conf should
look like this:
version 2.0
config setup
nat_traversal=yes
nhelpers=0
#plutodebug=all
# Add connections here
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/examples/e61.conf
/etc/ipsec.d/examples/e61.conf
Create a file named e61.conf for the connection parameters with the following
contents:
conn E61
# Key exchange
ike=aes256-sha1-modp1536
# Data exchange
esp=aes256-sha1
# Authentication method PSK
authby=secret
auto=add
keyingtries=3
rekey=no
pfs=no
# Modeconfig setting
modecfgpull=yes
# local endpoint
left=<external gateway>
leftxauthserver=yes
leftmodecfgserver=yes
leftsourceip=<internal gateway>
leftsubnet=0.0.0.0/0
# remote endpoint
right=%any
rightxauthclient=yes
rightmodecfgclient=yes
rightsourceip=<internal client>
rightsubnet=<internal client>/32
If you set leftxauthserver and rightxauthclient to
no, XAUTH authentication will be disabled. Disabling XAUTH
authentication might be helpful, if you experience problems during VPN
setup, but should not be disabled in production use for security reasons.
Creating a signed SIS file containing the VPN policy
The Nokia Mobile VPN client is configured by the policy file VPN.pol shown
below, that has to be uploaded to the phone in a signed SIS file.
In order to create a signed SIS file, two additional files are required. The
VPN.pin file contains some (useless) meta information about the policy file,
but is required and the VPN.pkg file, which describes the contents of the
SIS file.
Important: All 3 files have to be created with DOS line
delimiters (in vi use: set ff=dos), otherwise the tools or the VPN
will not work correctly.
VPN.pol
SECURITY_FILE_VERSION: 3
[INFO]
VPN
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(<external gateway>) }
inbound = { }
outbound = { }
[IKE]
ADDR: <external gateway> 255.255.255.255
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: <group name>
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: <strlen(group password)> <group password>
If you want to disable XAUTH authentication set USE_XAUTH to
FALSE and modify the e61.conf file on the VPN gateway accordingly.
VPN.pin
[POLICYNAME]
VPN
[POLICYDESCRIPTION]
VPN
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit
VPN.pkg
;
; A VPN POLICY PACKAGE
;
%{"VPN"}
:"VPN"
&EN
; - None (English only by default)
; INSTALLATION HEADER
; - Only one component name is needed to support English only
; - UID is the UID of the VPN Policy Installer application
#{"VPN"},(0x3D08B4F7),1,0,0,TYPE = SA
; LIST OF FILES
; Policy file
"VPN.pol"-"C:\System\Data\Security\Install\VPN.pol"
; Policy-information file
; - NOTE: The policy-information file MUST be the last file in this
; list!
; - FM (FILEMIME) passes the file to the respective MIME handler
; (in this case, the VPN Policy Installer
; application).
"VPN.pin"-"C:\System\Data\Security\Install\VPN.pin",
FM, "application/x-ipsec-policy-info"
; REQUIRED FILES
; - The VPN Policy Installer application
(0x3D08B4F7), 1, 0, 0, {"VPN Policy Installer"}
Note: The two absolute paths are paths on the phone and must not
be modified.
Create an unsigned SIS file
The unsigned SIS file is created by the makesis.exe utility. With
the VPN.pol, VPN.pin and VPN.pkg file in the current working directory the
makesis utility must be invoked as follows:
makesis.exe VPN.pkg VPN.sis
Afterwards you should have a VPN.sis file in your current working directory.
Create a signed SIS file
The SIS file created in the last step is still unsigned and has to be signed
to be accepted by the phone. The SIS file is signed using the
signsis.exe utility. It is invoked as follows, assuming the
previously created SIS file and the VPN.key and VPN.cer file from
www.symbiansigned.com are all located in the current working directory:
signsis.exe VPN.sis VPN.sisx VPN.cer VPN.key <key password>
Afterwards you should have a signed SIS file called VPN.sisx in your
current working directory, which can be uploaded to your phone.
Mobile phone configuration
Before you start configuring the Nokia Mobile VPN client, you have to
upload the signed SIS file created in the previous step to the phone. This
can be done using an USB cable, infrared or Bluetooth or you can download
the file from a web site.
During installation of the policy file, you might get several warnings
regarding the developer cerificate and phone incompatibilities, ignore and
confirm all of them. After the installation completes the policy should be
listed under VPN policies in the phone.
To create a new VPN connection configuration navigate to Menu ->
Tools -> Settings -> Connection -> VPN -> VPN management ->
VPN policies, highlight a policy and select Options -> Define VPN access
point. Configure the connection by specifiying a name, a policy and an
internet access point.
You should now be able to use the VPN connection like any other connection.
If you have not disabled XAUTH authentication, you are asked for a username
and password on connection setup. Enter a valid system user and password of
the VPN gateway. That's it! You should now be connected to your VPN.
Caveats & Solutions
DNS servers
During connection setup the VPN client obtains IP address, netmask and DNS
settings from the VPN gateway, there is no way to modify those parameters on
the phone.
In OpenSwan 2.4.6 there is no (easy) way to configure the DNS servers to
be used by the VPN client. DNS servers can only be set using PAM environment
variables, which are only available when XAUTH is enabled.
To circumvent this shortcoming I have created a small patch against
OpenSwan 2.4.6, which allows setting DNS servers using ordinary environment
variables. If you set the environment variables DNS1 and DNS2 before you
start OpenSwan, those parameters are transmitted to the VPN client as the
primary and secondary DNS server. The patch is available here:
openswan-2.4.6.diff
