betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

Nokia VPN Clicky-Config

Nokia VPN Clicky-Config

Download the "Nokia Mobile VPN Client Config Tool" somewhere from the labyrinth of Nokia sites. Open it in a PC emulator that you have loaded with a version of Windows (or borrow someones Windows-PC or something).

I'm currently using pre-shared keys (PSK). Will do PKI later probably.

Start clicking and entering stuff until it looks about like what I have in the screens.

First screen, simplified version

just opened
  • Obviously you want to give your "policy" a nice name.
  • You'll enter the fixed IP of your server (I've used a numerical IP, a FQDN would likely work too)
  • Enter some client "Identity value"
  • For the "Preshared Key", choose "String Format" and paste your key there

Get to the "advanced view"

get to the advanced setup

Next step, get to the advanced view.

IPsec SA parameters

get to the advanced setup

Here we set up some parameters, matching to our server side config.

  • "Encryption Algorithm": AES128 works for my server config
  • "Hash Alogrithm": SHA1, same as on my server config
  • I don't think I've tweaked the timer settings
  • I've left the "Replay Window length" alone at what it was
  • only "Source specific" had a check mark


In the "Selectors" branch of the settings, I haven't changed anything, so no screenshots there.

Proposals - this is where things had been stuck for me

first "proposals" screen

All this "proposals" business took some experimenting, as all log output on the server always claimed that the VPN client did not send any proposal. Well, here's comments on these settings:

  • obviously I'm using again the same server numerical IP for the "VPN gateway address" (FQDN may work for you)
  • "Identity type" is set to "11 - Vendor specific information", which makes the server complain a little bit ("ipsec_validate_id_information: dubious ID information accepted"), but it works so far
  • I'm setting my server's IP in the "DNS server address". My server's caching-only DNS server is not normally accessible from the outside, but my pf.conf allows access to it. I also had to edit /var/named/etc/named.conf to add the RFC1918 nets that my mobile happens to be in to the list of "acl clients". For quite some time I had my little VPN running, but thought it was blocked, only because I had no working DNS setup.
  • I don't remember which of the other settings I tweaked and which were like that by default, but this is how they work for me right now. Yes, that port is set to "0" - apparently this way it uses the standard ports.
"proposals IKEv1" screen

There is a second tab with settings on "Proposals" where I've edited things: "IKEv1?". I remember tweaking only "Use NAT probe". Note that these "True/False" settings are actually "True/False/Unset", e.g. in the case of "Use NAT probe", the mouseover tipp says:

"Specifies whether to use Nokia-specific IPsec over NAT (TRUE) or the IETF NAT-T NAT traversal mechanism (FALSE)"

So, if you don't want any NAT probing, leave it blank, for standart NAT-T, use FALSE, like me.

Where the rubber hits the road: Proposals

I got myself a bloody nose by creating new variants of VPN settings, with the OpenBSD VPN server never "seeing" a proposal coming in. At one point I ran the procedure to get a trace of the handshake packets (which I found in this post from Stuart Henderson, stating something like:

# echo "p on" > /var/run/isakmpd.fifo

try and make a connection, then turn tracing back off:

# echo "p off" > /var/run/isakmpd.fifo

Then you can look at the capture file with tcpdump:

# tcpdump -r /var/run/isakmpd.pcap -vvn

Which did give me some output that seemed to contain a proposal to my eyes, but it just wouldn't work.

So at one point I decided that if one proposal wasn't detected, maybe two of them were gonna be seen. I created one proposal for AES128 and one for AES256. At that point things started to work, my setup passed the Phase 1.

Here are my setups for these 2 proposals:

"AES128 proposal screen"
"AES256 proposal screen"

It might be circumventing a bug, it might be coincidence, but it currently works for me.