Using XDA VPN client to make PPTP tunnel to a Cisco PIX via the O2 GPRS network. PIX is set-up for PPTP and works when I use a Windows XP client. Using XDA, the tunnel connects but won't pass traffic. Cause seems to be that XDA and PIX endlessly have a PPP negotiation argument about MPPE compression standard. Tried 40 bit and 128 bit, no luck. Anybody ever succeed with XDA VPN client at all please?
Colin
I wonder if you are having the same routing confilct I have. I can email you a fix for this if you like.
Hi Martin, thanks for reply. We don't have a 10.x.x.x subnet, although it is possible that somewhere they may have a 192.168.x.x conflicting with us. I see evidence of 10.x.x.x and 172.x.x.x by probing. As the tunnel gets set up and authenticated, I supposed it wasn't routing causing my problem. From the PIX I see the PPP negotiation problem. Have you had success with the XDA VPN client?
Yes I have, but I was using an MS RAS server on the other end (and GPRS as the carrier network).
Hi Martin,
OK, it looks like the PPP negotiation problems have gone away, no clue why. Now I do have a routing problem it seems. Traceroute on XDA to my target 192.168.1.74 shows the following, up to a point where ICMP gets denied:-
172.26.248.210 (PRIVATE)
193.113.199.59 (GENIE/BT)
193.113.235.161 (Genie/BT)
193.113.199.130 (BT)
62.7.239.1 (BT)
*.*.*.* no response
Looks like BT have a 192.168.x.x subnet ot there beyond 62.7.239.1. Is this similar to the routing problem you found a fix for? If so, what did you do please?
martinlong1978 said:
I wonder if you are having the same routing confilct I have. I can email you a fix for this if you like.
Click to expand...
Click to collapse
hi same here, i establish the VPN connection but then no use as nothing works no remote desktop, no intranet site. Please let me know the fix. my email is [email protected]
I tested the WM5/6 PPTP VPN Client on the Wizard with a PIX running 6.3(5) and had problems with MPPE - like you the VPN would connect however I couldn't pass any traffic. I debugged the PIX and it was pointing to the encryption. I disabled encryption on the PIX and it worked, obviously though this isn't acceptable. I tested the same but using a Windows 2003 Server as the VPN device and this worked so it is some incompatiblity between the PIX implementation of MPPE and the WM5/6 PPTP client (XP client worked OK with the PIX).
I ended up getting L2TP/IPSec working and have used this since, there is more to configure on the PIX side but it's still achievable and its more secure than PPTP, plus this is where the technology is moving to anyway. PIX version 7 doesn't support PPTP anymore either.
Andy
Related
I am trying to set up a vpn connection on the xda. I can get this to work if I set up my firewall to accept un-encrypted data, but obviously this is not the best.
Does WM2003 support MPPE encryption? At what level (ie. 40 bit, 50-whatever bit, 128 bit)?
Thanks,
Cuinn.
VPN connection from XDA
Unless you use a client for your firewall (SecuRemote for Checkpoint / EasyVPN and others for Cisco) you can only initiate L2TP or PPTP connections which will terminate fine onto a 2000 server / ISA server even over a Natted connection.
Bear in mind if you use a client, SecuRemote grinds my connection to a halt over GPRS as the processing overhead on the XDA is horrendous. L2TP/PPTP terminated on an MS ISA server seems the best solution. You can always hide ISA behind your proper firewall for added security, but the licensing will cost you unless you already use it as a proxy etc.
Thanks Pete,
I am running a PPTP VPN currently, which should support MPPE Data Encryption, but which does not seem to work. I have a PIX firewall, so I have also tried Movian VPN client, but I also am unable to get this to work at all. I can use PPTP if I accept un-encrypted data, but would prefer all data to be encrypted. I am terminating the VPN on my PIX which supports either 40 bit or 128 bit MPPE and the question I really want answered is does WM2003 PPTP VPN support MPPE and at what encryption level?
Cuinn.
PPTP Vpn
Following earlier post, I found this in the Checkpoint SecureClient for PPC docs.
3. Is the Client supposed to be able to connect to the Check Point gateway when cradled?
When cradled, the client may use the ActiveSync pass-through connection mechanism.
Since the current version of Win CE SecureClient does not support encryption via pass-through connection, you will be able to authenticate to your gateway, if it allows unencrypted authentication. This means that you will be able to add a new site this way, but not to use VPN (encrypted) communications with it.
Just thought of your situ, maybe this helps. And it's about time Checkpoint write a client that works with WM2003!. Just my two penneth!
The pass-through connection only supports TCP/IP (up to a certain point) and does not support UDP at all.
Hence VPN connections via the cradle will not work (PPTP and L2TP both use UDP, and I assume the other VPN/IPSec implementations do as well)
VPN client connection over GPRS
After some serious texting I can confirm on Windows 2003 server (not 2000) and ISA server 2000 on it, you can successfully run GPRS connection with L2TP or PPTP happily via a natted GRPS IP address. This has saved me LOADS of hastle with a business implementation. It hands over between cells on the mobile network, can get new IP address (which seems to happen on Vodafone handover a lot) and still maintain the connection (well really quickly re-make it, almost seamlessley)
Finally, I have raised a call with Checkpoint about Securemote client for WM 2003 and they still will give no fixed date, stating still within 6 months..... I hate them!
Anyway, the full MS implementation is working well, currently around 250 handsets on it, only another 350+ to go!
I have never got any app that hosts web page to work when I'm using mobile connection.
Wlan connection always works and another users seem to get it working using mobile connection.
Same problem with all ROMs that I have used. How to fix?
Mehumummo said:
I have never got any app that hosts web page to work when I'm using mobile connection.
Wlan connection always works and another users seem to get it working using mobile connection.
Same problem with all ROMs that I have used. How to fix?
Click to expand...
Click to collapse
Ummm. What network are you on? Remember most networks use NAT so save IP addresses. So your web server might only work for other users on the same subnet of your provider.
A phone isn't an ideal server. Can't you spend $1 or so per month on shared hosting on a server somewhere?
This is why it works on WiFI, as you have a dedicated IP address.
How can an incoming connection to 155.55.55.55 (for example, which covers all your network's users) know to direct an incoming port 80 (web) request to your phone? As opposed to the many other people that would try this?
I think Vodafone UK gives individual Ips though, so you could switch provider if it matters
anon2122 said:
Ummm. What network are you on? Remember most networks use NAT so save IP addresses. So your web server might only work for other users on the same subnet of your provider.
A phone isn't an ideal server. Can't you spend $1 or so per month on shared hosting on a server somewhere?
This is why it works on WiFI, as you have a dedicated IP address.
How can an incoming connection to 155.55.55.55 (for example, which covers all your network's users) know to direct an incoming port 80 (web) request to your phone? As opposed to the many other people that would try this?
I think Vodafone UK gives individual Ips though, so you could switch provider if it matters
Click to expand...
Click to collapse
I do know what NAT is (as it always ruins everything). I was not aware that mobile connection uses NAT as I imagined that operators doesn't put their users under same ip.
I'm not hosting something that any server could, mostly access to my phone:
files, sms, remote usage etc.
So there is no way but change operator?
Mehumummo said:
I do know what NAT is (as it always ruins everything). I was not aware that mobile connection uses NAT as I imagined that operators doesn't put their users under same ip.
I'm not hosting something that any server could, mostly access to my phone:
files, sms, remote usage etc.
So there is no way but change operator?
Click to expand...
Click to collapse
T-mobile definitely uses nat, as I have tried to ssh into my phone etc. I needed to make a listen server and dial into it from the phone.
So what you are doing needs a unique ip or upnp support (which I doubt android can do). But also it needs an isp that don't block ports or anything.
We use vodafone sims for remotely connecting to remote wind farms, as it allows incoming radmin connections.
anon2122 said:
So what you are doing needs a unique ip or upnp support (which I doubt android can do).
Click to expand...
Click to collapse
I guess that no operator supports UPnP/IGD to poke holes in their NAT.
If it's only for transferring files, SwiFTP supports a proxy server that is provided by the author. SwiFTP doesn't support SSL, and I don't think that I would want to send the plain text password to my phone over the Internet.
Another possibility is a VPN from the phone to the PC or router. Than you can start a server like kWS, Android Desktop, PAW Server, I-Jetty, WebFileSystem, etc.
VPN sounds good, gonna try when I get to home.
I can get connection using vpn.
However if there are no connection for short time or phone is restarted then vpn connection goes away.
I would like it to reconnect asap but it isn't meant to be that way :/
Couldn't find anything to reconnect vpn.
I didn't try the built-in VPNs (Android 2.1), but it works fine with OpenVPN: even when changing from Wifi to 3G it reconnects after a few seconds. You need root for OpenVPN AFAIK. It works great with VillainROM 12 which comes with OpenVPN. There's a guide at the VillainROM forums.
Thanks got it working
Lol huge decrease to battery life, suppose you don't have any hints for that?
Which is the best VPN software for Windows Mobile 6.5? I am wanting to connect to our work firewall which is a cisco concentrator using Ipsec and group authentication.
I have Tried NCP secure client, AnthaVPN
NCP Secure Client - Works but not well, constantly crashes and the gui is not very friendly for non techy staff which i want to roll VPN access out to.
AnthaVPN - Can not get this to work at all!
Bluefiresecurity - Looks like they have gone bust as their website no longer exists.
Is there a way to make 6.5 work out of the box or using scripts to connect? If not I am willing to pay for software just needs one that works properly and with a half decent GUI.
Thanks Guys.
Gazos
Can anyone help? Pretty desperate.
Gazos said:
Which is the best VPN software for Windows Mobile 6.5? I am wanting to connect to our work firewall which is a cisco concentrator using Ipsec and group authentication.
I have Tried NCP secure client, AnthaVPN
NCP Secure Client - Works but not well, constantly crashes and the gui is not very friendly for non techy staff which i want to roll VPN access out to.
AnthaVPN - Can not get this to work at all!
Bluefiresecurity - Looks like they have gone bust as their website no longer exists.
Is there a way to make 6.5 work out of the box or using scripts to connect? If not I am willing to pay for software just needs one that works properly and with a half decent GUI.
Thanks Guys.
Gazos
Click to expand...
Click to collapse
Update on Status:
NCP Secure Client - Still buggy
AnthaVPN - does not work well with 6.5 as it messes with registry and kills wifi
BlueFiresecurity - No Longer Available
Symantec Mobile VPN - Awesome app works a treat NO LONGER AVAILABLE TO PURCHASE ARHHHHHHHHHHHHHHHHHH!!!!!!!!!!!
Comebody must know the answer to this
Looks like its using the terrible le NCP then
Sent from my Desire HD using XDA App
I dont think this will help, but I use the Cisco AnyConnect client. Unfortunately the VPN concentrator has to be AnyConnect compatible. The standard PIX, FWSM and 3000 series concentrators aren't. But we are in the process of changing to a Cisco ASA solution, and while testing this it's the first time I can connect my HD2 to works VPN reliably.
996r said:
I dont think this will help, but I use the Cisco AnyConnect client. Unfortunately the VPN concentrator has to be AnyConnect compatible. The standard PIX, FWSM and 3000 series concentrators aren't. But we are in the process of changing to a Cisco ASA solution, and while testing this it's the first time I can connect my HD2 to works VPN reliably.
Click to expand...
Click to collapse
Thanks for the reply, Unfortunately our network is behind several firewalls and we actually use an ASA but the first firewall in the line which we use to connect through to our network on a vpn is an old concentrator which we have no control/access over.
I have installed OpenVPN as per instructions I found on these forums and am using VPNC to connect, which I can do successfully. VPNC reports that I don't have Advanced Routing enabled, which is likely true, but I am not worried about that at the moment. I can ping and RDP to servers by IP but not by name. A friend of mine has a different phone and the same issue. Our VPN is a Cisco setup.
I am using a Sony Ericsson Xperia X10 with Gingerbread and the phone is rooted.
The question is how can I configure things so that I can reference things on the network by name and not have to use only IP addresses?
Thank you.
Ok, FQDN and IP work. Just not going with just the name of the server alone.
Added --domain <domain name> to the option flags. Didn't change things.
thanks for info
Has anyone tried using an IPSEC VPN connection - type PSK with XAUTH to connect to a VPN?
I've used the settings I've entered on iphones, ipads and with numerous software VPN clients, both Windows and Mac. I simply cannot get it to connect.
I've looked at the logs on the firewall - The SA and username look correct, but it still says that there is no match found.
Has anyone tried this or any other VPN type with any success?
Thanks!
This is a known open issue (bug) - no. 23124
Sucks.
Thanks for the info! Wish it had been better news :-D