Archive for the ‘Nokia’ Category

Nokia Series 60 and a Cisco VPN

Friday, October 15th, 2010

One redeeming feature of Series 60 Nokia phones is there’s a reasonable IPsec VPN client available. It might be pre-installed on your phone already or you can check if your phone is compatible and download it here.

It can however be a bit of a pig to configure as you do very little of it on the phone and instead you have to supply a VPN policy file with all of the various settings contained within. Nokia ship a tool that allows you to create these, however it’s only available for Windows, so if you’re on a Mac or a Linux machine you’re out of luck. However, when you realise that a VPN policy file is just a renamed ZIP archive there’s no need to give up.

Nokia have documentation available specifically the VPN Client Policy Specification that explains what the various files in the ZIP archive are for. Unless you authenticate via certificates, chances are you only need the minimum two required files in the archive.

The first of these is a .pin file. It’s a really simple file that just supplies the policy details and is formatted like so:

1
2
3
4
5
6
7
8
9
10
[POLICYNAME]
Company VPN
[POLICYVERSION]
1.0
[POLICYDESCRIPTION]
Secure access to internal systems
[ISSUERNAME]
My Company
[CONTACTINFO]
vpn@domain.com

For the most part, you only really need to specify the policy name and version, the other fields can be empty as they aren’t generally visible.

The other required file is the .pol file. This one is a lot more complicated as it specifies all of the various IKE and IPsec parameters. A sample one looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
SECURITY_FILE_VERSION: 1
[INFO]
Company VPN
[POLICY]
sa CISCO_ASA_PSK = {
esp
encrypt_alg 3
auth_alg 2
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
replay_win_len 0
}
 
remote 0.0.0.0 0.0.0.0 = { CISCO_ASA_PSK(vpn.domain.com) }
inbound = { } 
outbound = { }
 
[IKE]
ADDR: vpn.domain.com 255.255.255.255
IKE_VERSION: 1
MODE: Aggressive
REPLAY_STATUS: FALSE
USE_MODE_CFG: TRUE
IPSEC_EXPIRE: TRUE
USE_XAUTH: TRUE
USE_COMMIT: FALSE
ESP_UDP_PORT: 0
SEND_NOTIFICATION: TRUE
INITIAL_CONTACT: TRUE
USE_INTERNAL_ADDR: FALSE
DPD_HEARTBEAT: 90
NAT_KEEPALIVE: 60
REKEYING_THRESHOLD: 90
ID_TYPE: 11
FQDN: group
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 8 password
USE_NAT_PROBE: FALSE
PROPOSALS: 1
ENC_ALG: 3DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: MD5
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE

When creating this file it’s handy to know what the other side is expecting otherwise a lot of trial and error is involved.

The above file works for me to connect to a Cisco ASA firewall, some key points:

  • Lines 7 & 8 specify the IPsec crypto algorithms, in this case 3DES-MD5. To use for example AES-SHA1 instead you would change the values on those lines to 12 and 3 respectively.
  • Line 20 specifies the address of your VPN server, this can be either a fully-qualified domain name or an IP address.
  • Line 25 repeats the address of your VPN server, except this time you also need to specify the netmask, which in most cases is 255.255.255.255.
  • Line 31 enables XAUTH which is required in common Cisco setups where you authenticate with your own personal username and password which is quite often linked to Active Directory, etc.
  • Lines 40 & 41 specify the first authentication step which in my setup is a shared group and password, so ID type 11 is used to specify that FQDN is just bytes rather than an IP address or fully-qualified domain, etc. then the group name itself is specified on the following line.
  • Line 44 specifies the password, note that you first specify the length of the password followed by the actual password string itself.
  • Lines 47 & 49 specify the IKE crypto algorithms. In contrast to the IPsec values these are actually spelled out instead of using cryptic values.

It’s important that both of these files are saved in DOS format with the correct newlines. You can use for example unix2dos(1) to convert them:

# unix2dos policy.p*

Then all that is left is to create the zip archive:

# zip policy.vpn policy.p*

It’s important that all three files share a common basename, in this example we used “policy” but it can be anything.

Now you need to upload the .vpn file to the phone. This can be done in any number of ways, such as USB or Bluetooth. You then need to run the file on the phone which forces it to be installed as a VPN policy.

Once that’s done you need to create a VPN access point which is accessed on my Nokia E71 under Tools > Settings > Connection > VPN > VPN access points. There you create a new access point, you need to give it a name, pick the policy that you just installed and an existing access point for it to piggyback on top of such as your 3G/GPRS connection or WiFi.

With the VPN access point defined you now use it like a regular access point. One thing I haven’t managed to get working yet is split tunnelling so that while I’m using the VPN I can access regular websites, instead I have to reconnect with a non-VPN access point but this is a minor niggle.

Tethering two Nokia phones under OS X

Thursday, August 5th, 2010

Now I’m running Snow Leopard one thing I needed to set up again was 3G access through my phone for that rare occurrence when my ADSL drops out and I need to raise a support ticket with my ISP (yes, quite) or I’m on the move somewhere.

I currently have a Nokia E71 with T-Mobile as a personal phone which I think will be my last Series 60 device but to be fair, it does seem to sync up with OS X pretty good. I also carry a Nokia E90 with Vodafone that my work provide for on call, it’s basically a glorified portable SSH terminal. I figured it’s probably advisable to set both phones up and as I don’t particularly want to carry cables for both phones (Nokia in their infinite wisdom decided to use a normal mini USB plug on the E90 but some proprietary plug on the E71), just using Bluetooth was good enough for me, so off I went.

Now, if you do this the usual way, you open Bluetooth preferences, search for the one phone and follow the Bluetooth Setup Assistant to pair the device and set up dial-up networking if OS X thinks the device supports it. Then you rinse and repeat for your second phone and here’s where you come unstuck as OS X will overwrite your dial-up networking configuration with whatever you specified the second time around and also will only use the second phone for any dial-up networking. I tried creating a second Bluetooth DUN profile but you’ll find there’s no obvious way to tie the profile to a particular phone.

So how do you do it?

Assuming you’ve not yet paired either phone, proceed to do so for each but when you’re prompted to set up the dial-up networking, just continue without entering any details. This will leave the Bluetooth DUN profile in Network preferences blank, but that’s okay as we won’t be using it.

Now here’s the non-obvious bit. Open up Bluetooth preferences and your two phones should be present in the list of devices, select one and with the little cog menu select the Edit Serial Ports… option. My E71 has a serial port configured here already by default, whereas there are none by default for the E90. In either case add a new serial port with the following settings:

  • Name: This will be something like NokiaE71-Dial-UpNetwork or NokiaE90-Dial-UpNetwork, the default is fine
  • Protocol: Modem
  • Service: Dial-Up Networking
  • Show in Network Preferences

Edit Serial Ports Screenshot

After adding the new port for each phone, OS X should notify you and ask you to configure it. First of all rename the profile which will default to the name of the serial port and isn’t terribly user-friendly, I tend to just use the phone model here. Now, I’m terrible at remembering the 3G details but Ross Barkman’s site is a great resource which lists the settings for many network operators in various countries. For each network I only really need the APN, username and password, for T-Mobile these are:

  • general.t-mobile.uk
  • user
  • pass

And for Vodafone, they’re:

  • internet
  • web
  • web

The username and password go into the Account Name and Password fields, then hit Advanced… and make sure the Vendor and Model are Nokia and GPRS (GSM/3G) respectively, this should make the APN field visible into which you can enter the relevant value.

Now you should be able to hit Connect for either profile and after a few seconds you should be connected, signal permitting.

After working out how to do most of this, I discovered this blog post which walks you through much the same process, with pictures too.