Nokia VPN Config Files

Plain text config files to create a Nokia VPN client config

As an alternative to the Nokia VPN Clicky-Config, the VPN policy settings file (.vpn that is loaded on the phone), can also be created using plain text files. These have DOS line endings, but I don't know if that is mandatory - I just took care to do them like that and they seemed to be read.

Like I've learned on wiki.paepstin.info/nokia:vpn, you create two files (more if using certificates instead of PSK):

somename.pin
somename.pol

You then zip them up into one somename.zip file using zip somename.zip somename.pol somename.pin - I don't know if ordr matters. Note: older information on that intarweb-thing states that you have to jump through multiple hoops to get that zip file into a signed .sit file. That is all outdated, as far as I can tell.

After you zipped, just rename: mv somename.zip somename.vpn. Last step, get it on the phone and open it in the file viewer or from the messages application.

So, here are my pin and pol files, with some sanitizing applied.

bebu.pin:

[POLICYNAME]
bebu
[POLICYVERSION]
1.1
[POLICYDESCRIPTION]

[ISSUERNAME]

[CONTACTINFO]

bebu.pol:

SECURITY_FILE_VERSION: 1
[INFO]
bebu
[POLICY]
sa bebu_1 = {
esp
encrypt_alg 12
max_encrypt_bits 128
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
replay_win_len 0
}



remote 0.0.0.0 0.0.0.0 = { bebu_1(*SERVER_ADDR*) }
inbound = { }
outbound = { }

[IKE]
IKE_VERSION: 1
MODE: Main
ADDR: *SERVER_ADDR* 255.255.255.255
ID_TYPE: 11
FQDN: *SOMEID*
PRESHARED_KEYS:  
FORMAT: STRING_FORMAT
KEY: *LEN* *YOUR_SECRET_KEY_STRING*
REPLAY_STATUS: FALSE
USE_MODE_CFG: FALSE
IPSEC_EXPIRE: TRUE
USE_XAUTH: FALSE
USE_COMMIT: FALSE
ESP_UDP_PORT: 0
SEND_NOTIFICATION: TRUE
INITIAL_CONTACT: TRUE
USE_INTERNAL_ADDR: TRUE
DPD_HEARTBEAT: 90
NAT_KEEPALIVE: 60
REKEYING_THRESHOLD: 90
DNS_SERVER: *SERVER_ADDR*
GROUP_DESCRIPTION_II: MODP_1024
USE_NAT_PROBE: FALSE
PROPOSALS: 2
ENC_ALG: AES128-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE

These files are what came out of my playing with the Nokia VPN Clicky-Config. Back when things weren't working, for half the time I tried editing config files, the other half I was clicking around in the GUI tool. In the end the GUI thing worked, but the plain text files are easier to reproduce.

Things I'm not quite certain about:

does white space matter?
do line-endings have to be DOS style? (I always kept them like that)
do file names and config names have to be in sync? (I mostly avoided the question by using the clicky-tool)
is there life before death?

Some things you will have to adapt, things you will have to take care:

obviously enter your info for the stuff I've written like SERVER_ADDR
the line KEY: *LEN* *YOUR_SECRET_KEY_STRING* means that you will substitute LEN with the number of characters in your PSK secret key string, e.g. KEY: 8 s3kr3t78 (no, that's not a good key to use)
I'm setting a DNS server (DNS_SERVER), you might not need that at all, depending on your setup.

Other notes:

there are two "proposals" in there, for AES128 and AES256. As described in Nokia VPN Clicky-Config, that's what worked for me in the end, since the VPN server never "saw" my single proposals.
I'm using a very simple (or is that "simplistic") network setup, where the IP of the phone is used for the NAT I'm doing on the server (e.g. the phone gets 10.1.2.3 from the 3G provider, that's what OpenBSD will use to talk to the phone). If you're needs are more specific, you either know more than me about it, or you should try very hard to get to know more than me.