Is this also possible with a m0n0wall? (Nokia 9300 and VPN)

From:	Andreas Ferrari <aferrari at stasoft dot ch>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Is this also possible with a m0n0wall? (Nokia 9300 and VPN)
Date:	Tue, 25 Apr 2006 09:46:07 +0200
Hello

I found this while surfing the web:

PIX and Nokia Communicator 9500/9300(i)
Nur 1 Nachricht zum Thema - Baumansicht
	
Von:		Jyri Korhonen - Profil anzeigen
Datum:		Mi 8 Mär. 2006 15:15
E-Mail: 		"Jyri Korhonen" <korh dot  dot  dot  at POISSPAMMIThotmail dot com>
Gruppen: 		comp.dcom.sys.cisco
Noch nicht bewertet
Bewertung:	
Optionen anzeigen

Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne 
Nachricht | Original anzeigen | Missbrauch melden | Nachrichten dieses 
Autors suchen

It seems that the only Cisco products that Nokia officially
supports are the Cisco VPN 3000 Series Concentrators. However
with a little help from Nokia I did succeed in making Nokia
VPN client work with PIX 6.3(5). So I decided to post some
instructions.

In PIX I used a simple configuration with pre-shared keys, DES,
MD5 and Diffie-Hellman goup 2, but Nokia's client supports
also the alternatives (3DES, AES, SHA-1, 1536-bit groups,
NAT-Traversal etc.).

The hard part is the phone and the hardest part was finding
how you should begin. Basically you'll need:

- Nokia Communicator 9500/9300(i)
- Nokia PC Suite program for your Communicator (usually
   comes with the phone)
- Nokia VPN Client for your Communicator (downloadable
   from Nokia's pages)
- MAKESIS.EXE - a command line program for creating
   Symbian Software Installation (SIS) files. I don't
   know how you can get this easily. I had to download
   a 127 MB Symbian SDK from http://www.forum.nokia.com
   to get this program (size about 300 kB).
- a text editor like Notepad

Then you create three text files (below), put them in the same
folder as MAKESIS.EXE, run

  makesis VPN-policy-preshared-Cisco.pkg

to create the SIS installation pakage and install the pakage
into your phone. Finally you create a new VPN Access Point in
your phone, select the VPN policy you just installed to the
new VPN Access Point and you are ready.

The three text files are

   VPN-policy-preshared-Cisco.pin
   VPN-policy-preshared-Cisco.pol
   VPN-policy-preshared-Cisco.pkg

The contents of the files you can see below. Note that
you must edit the .pol file to match the configuration
of your PIX. I have added comments to the .pol file
and marked them with a star (*). Remove the comments.

---
VPN-policy-preshared-Cisco.pin

[POLICYNAME]
VPN Policy
[POLICYDESCRIPTION]
VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0.
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit

VPN-policy-preshared-Cisco.pol

SECURITY_FILE_VERSION: 3
[INFO]
VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0.
[POLICY]
sa ipsec_1 = {
  esp
  encrypt_alg 12  * 2=DES, 3=3DES, 12=AES
  max_encrypt_bits 256  * needed only for AES, remove if not
  auth_alg 3  * 2=MD5, 3=SHA-1
  identity_remote 0.0.0.0/0  * remote network
  pfs  * can be removed if PFS is not in use
  src_specific
  hard_lifetime_bytes 0
  hard_lifetime_addtime 3600
  hard_lifetime_usetime 3600
  soft_lifetime_bytes 0
  soft_lifetime_addtime 3600
  soft_lifetime_usetime 3600
  }

  remote 0.0.0.0 0.0.0.0 = { ipsec_1(123.45.67.89) }
  * remote network and address of the PIX
inbound = { }
outbound = { }

[IKE]
ADDR: 123.45.67.89 255.255.255.255  * PIX
MODE: Aggressive  * other is MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 11  * do not touche
FQDN: PreSharedGroup  * name of the vpngroup
GROUP_DESCRIPTION_II: MODP_1536  * for DH group 2 use 1024
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE  * do not touche
ESP_UDP_PORT: 0  * do not touche
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE  * true or false
USE_MODE_CFG: TRUE  * true or false
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC  * I used DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536  * for DH group 2 use 1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 8 password  * the number is the lenght of the password

VPN-policy-preshared-Cisco.pkg

;
; A VPN POLICY PACKAGE
;

; LANGUAGES
; - None (English only by default)

; INSTALLATION HEADER
; - Only one component name is needed to support English only
; - UID is the UID of the VPN Policy Installer application
#{"VPN Policy"},(0x1000597E),1,0,0,TYPE = SISCONFIG

; LIST OF FILES

; Policy file
"VPN-policy-preshared-Cisco.pol"-"C:\System\Data\Security\Install\VPN-policy-preshared-Cisco.pol"

; Policy-information file
; - NOTE: The policy-information file MUST be the last file in this
; list!
; - FM (FILEMIME) passes the file to the respective MIME handler
; (in this case, the VPN Policy Installer
; application).
"VPN-policy-preshared-Cisco.pin"-"C:\System\Data\Security\Install\VPN-policy-preshared-Cisco.pin",
  FM, "application/x-ipsec-policy-info"

; REQUIRED FILES
;     - The VPN Policy Installer application
(0x1000597E), 1, 0, 0, {"VPN Policy Installer"}

Found on google groups: 
http://groups.google.ch/group/comp.dcom.sys.cisco/browse_thread/thread/86139e1a50ddfec9/dc95b0b51476d8e8?lnk=st&q=nokia+9300+%2Bvpn&rnum=1&hl=de#dc95b0b51476d8e8

-- 
STASOFT AG
P: +41 61 726 80 70
F: +41 61 726 80 79