Nokia VPN Clicky-Config
Download the "Nokia Mobile VPN Client Config Tool" somewhere from the labyrinth of Nokia sites. Open it in a PC emulator that you have loaded with a version of Windows (or borrow someones Windows-PC or something).
I'm currently using pre-shared keys (PSK). Will do PKI later probably.
Start clicking and entering stuff until it looks about like what I have in the screens.
- Obviously you want to give your "policy" a nice name.
- You'll enter the fixed IP of your server (I've used a numerical IP, a FQDN would likely work too)
- Enter some client "Identity value"
- For the "Preshared Key", choose "String Format" and paste your key there
Next step, get to the advanced view.
Here we set up some parameters, matching to our server side config.
- "Encryption Algorithm": AES128 works for my server config
- "Hash Alogrithm": SHA1, same as on my server config
- I don't think I've tweaked the timer settings
- I've left the "Replay Window length" alone at what it was
- only "Source specific" had a check mark
In the "Selectors" branch of the settings, I haven't changed anything, so no screenshots there.
All this "proposals" business took some experimenting, as all log output on the server always claimed that the VPN client did not send any proposal. Well, here's comments on these settings:
- obviously I'm using again the same server numerical IP for the "VPN gateway address" (FQDN may work for you)
- "Identity type" is set to "11 - Vendor specific information", which makes the server complain a little bit ("ipsec_validate_id_information: dubious ID information accepted"), but it works so far
- I'm setting my server's IP in the "DNS server address". My server's caching-only DNS server is not normally accessible from the outside, but my pf.conf allows access to it. I also had to edit /var/named/etc/named.conf to add the RFC1918 nets that my mobile happens to be in to the list of "acl clients". For quite some time I had my little VPN running, but thought it was blocked, only because I had no working DNS setup.
- I don't remember which of the other settings I tweaked and which were like that by default, but this is how they work for me right now. Yes, that port is set to "0" - apparently this way it uses the standard ports.
There is a second tab with settings on "Proposals" where I've edited things: "IKEv1?". I remember tweaking only "Use NAT probe". Note that these "True/False" settings are actually "True/False/Unset", e.g. in the case of "Use NAT probe", the mouseover tipp says:
So, if you don't want any NAT probing, leave it blank, for standart NAT-T, use FALSE, like me.
I got myself a bloody nose by creating new variants of VPN settings, with the OpenBSD VPN server never "seeing" a proposal coming in. At one point I ran the procedure to get a trace of the handshake packets (which I found in this post from Stuart Henderson, stating something like:
# echo "p on" > /var/run/isakmpd.fifo try and make a connection, then turn tracing back off: # echo "p off" > /var/run/isakmpd.fifo Then you can look at the capture file with tcpdump: # tcpdump -r /var/run/isakmpd.pcap -vvn
Which did give me some output that seemed to contain a proposal to my eyes, but it just wouldn't work.
So at one point I decided that if one proposal wasn't detected, maybe two of them were gonna be seen. I created one proposal for AES128 and one for AES256. At that point things started to work, my setup passed the Phase 1.
Here are my setups for these 2 proposals:
It might be circumventing a bug, it might be coincidence, but it currently works for me.