I am trying to set up a vpn connection on the xda. I can get this to work if I set up my firewall to accept un-encrypted data, but obviously this is not the best.
Does WM2003 support MPPE encryption? At what level (ie. 40 bit, 50-whatever bit, 128 bit)?
Thanks,
Cuinn.
VPN connection from XDA
Unless you use a client for your firewall (SecuRemote for Checkpoint / EasyVPN and others for Cisco) you can only initiate L2TP or PPTP connections which will terminate fine onto a 2000 server / ISA server even over a Natted connection.
Bear in mind if you use a client, SecuRemote grinds my connection to a halt over GPRS as the processing overhead on the XDA is horrendous. L2TP/PPTP terminated on an MS ISA server seems the best solution. You can always hide ISA behind your proper firewall for added security, but the licensing will cost you unless you already use it as a proxy etc.
Thanks Pete,
I am running a PPTP VPN currently, which should support MPPE Data Encryption, but which does not seem to work. I have a PIX firewall, so I have also tried Movian VPN client, but I also am unable to get this to work at all. I can use PPTP if I accept un-encrypted data, but would prefer all data to be encrypted. I am terminating the VPN on my PIX which supports either 40 bit or 128 bit MPPE and the question I really want answered is does WM2003 PPTP VPN support MPPE and at what encryption level?
Cuinn.
PPTP Vpn
Following earlier post, I found this in the Checkpoint SecureClient for PPC docs.
3. Is the Client supposed to be able to connect to the Check Point gateway when cradled?
When cradled, the client may use the ActiveSync pass-through connection mechanism.
Since the current version of Win CE SecureClient does not support encryption via pass-through connection, you will be able to authenticate to your gateway, if it allows unencrypted authentication. This means that you will be able to add a new site this way, but not to use VPN (encrypted) communications with it.
Just thought of your situ, maybe this helps. And it's about time Checkpoint write a client that works with WM2003!. Just my two penneth!
The pass-through connection only supports TCP/IP (up to a certain point) and does not support UDP at all.
Hence VPN connections via the cradle will not work (PPTP and L2TP both use UDP, and I assume the other VPN/IPSec implementations do as well)
VPN client connection over GPRS
After some serious texting I can confirm on Windows 2003 server (not 2000) and ISA server 2000 on it, you can successfully run GPRS connection with L2TP or PPTP happily via a natted GRPS IP address. This has saved me LOADS of hastle with a business implementation. It hands over between cells on the mobile network, can get new IP address (which seems to happen on Vodafone handover a lot) and still maintain the connection (well really quickly re-make it, almost seamlessley)
Finally, I have raised a call with Checkpoint about Securemote client for WM 2003 and they still will give no fixed date, stating still within 6 months..... I hate them!
Anyway, the full MS implementation is working well, currently around 250 handsets on it, only another 350+ to go!
Related
Using XDA VPN client to make PPTP tunnel to a Cisco PIX via the O2 GPRS network. PIX is set-up for PPTP and works when I use a Windows XP client. Using XDA, the tunnel connects but won't pass traffic. Cause seems to be that XDA and PIX endlessly have a PPP negotiation argument about MPPE compression standard. Tried 40 bit and 128 bit, no luck. Anybody ever succeed with XDA VPN client at all please?
Colin
I wonder if you are having the same routing confilct I have. I can email you a fix for this if you like.
Hi Martin, thanks for reply. We don't have a 10.x.x.x subnet, although it is possible that somewhere they may have a 192.168.x.x conflicting with us. I see evidence of 10.x.x.x and 172.x.x.x by probing. As the tunnel gets set up and authenticated, I supposed it wasn't routing causing my problem. From the PIX I see the PPP negotiation problem. Have you had success with the XDA VPN client?
Yes I have, but I was using an MS RAS server on the other end (and GPRS as the carrier network).
Hi Martin,
OK, it looks like the PPP negotiation problems have gone away, no clue why. Now I do have a routing problem it seems. Traceroute on XDA to my target 192.168.1.74 shows the following, up to a point where ICMP gets denied:-
172.26.248.210 (PRIVATE)
193.113.199.59 (GENIE/BT)
193.113.235.161 (Genie/BT)
193.113.199.130 (BT)
62.7.239.1 (BT)
*.*.*.* no response
Looks like BT have a 192.168.x.x subnet ot there beyond 62.7.239.1. Is this similar to the routing problem you found a fix for? If so, what did you do please?
martinlong1978 said:
I wonder if you are having the same routing confilct I have. I can email you a fix for this if you like.
Click to expand...
Click to collapse
hi same here, i establish the VPN connection but then no use as nothing works no remote desktop, no intranet site. Please let me know the fix. my email is [email protected]
I tested the WM5/6 PPTP VPN Client on the Wizard with a PIX running 6.3(5) and had problems with MPPE - like you the VPN would connect however I couldn't pass any traffic. I debugged the PIX and it was pointing to the encryption. I disabled encryption on the PIX and it worked, obviously though this isn't acceptable. I tested the same but using a Windows 2003 Server as the VPN device and this worked so it is some incompatiblity between the PIX implementation of MPPE and the WM5/6 PPTP client (XP client worked OK with the PIX).
I ended up getting L2TP/IPSec working and have used this since, there is more to configure on the PIX side but it's still achievable and its more secure than PPTP, plus this is where the technology is moving to anyway. PIX version 7 doesn't support PPTP anymore either.
Andy
i set up remote desktop on my pc from my tp and it looked awsome. It works but i have to be connected to my home wifi while connecting. I want to be able to connect anywhere i have data, not just wifi. Is there a way i can get this done? i'm using sprint tp with NFSFAN's WM6.5.5 v1.05 ROM and WXP Pro
it's possible and i'm not sure why your having an issue connecting to it. i have been able to connect from outside my network with no real issues. it was easier when i had dsl with a static ip.
... you posted this question in another thread and received your answer there.
you have a dynamic IP and need to utilize a dynamic DNS service in order to get to your PC all the time - a client application is installed on the PC that monitors the IP address and updates the dns-web application so when you point the touch pro remote desktop client at your unique url setup through a dynamic DNS service, it will always find your PC. simplest answer.
alternatively, call your ISP and change your plan from residential to business - but make sure you can get a static IP address.
x2, if you do have a dynamic ip, you'll need a dns service. i use dyndns.org. free and works great. a little program goes on my server to update the ip address and all i have to do to access my remote desktop is type in the dyndns.org address that i picked and it points me right to my server, via phone and computer.
if you have time warner, i hear they do not do static ips for non business.
I have never got any app that hosts web page to work when I'm using mobile connection.
Wlan connection always works and another users seem to get it working using mobile connection.
Same problem with all ROMs that I have used. How to fix?
Mehumummo said:
I have never got any app that hosts web page to work when I'm using mobile connection.
Wlan connection always works and another users seem to get it working using mobile connection.
Same problem with all ROMs that I have used. How to fix?
Click to expand...
Click to collapse
Ummm. What network are you on? Remember most networks use NAT so save IP addresses. So your web server might only work for other users on the same subnet of your provider.
A phone isn't an ideal server. Can't you spend $1 or so per month on shared hosting on a server somewhere?
This is why it works on WiFI, as you have a dedicated IP address.
How can an incoming connection to 155.55.55.55 (for example, which covers all your network's users) know to direct an incoming port 80 (web) request to your phone? As opposed to the many other people that would try this?
I think Vodafone UK gives individual Ips though, so you could switch provider if it matters
anon2122 said:
Ummm. What network are you on? Remember most networks use NAT so save IP addresses. So your web server might only work for other users on the same subnet of your provider.
A phone isn't an ideal server. Can't you spend $1 or so per month on shared hosting on a server somewhere?
This is why it works on WiFI, as you have a dedicated IP address.
How can an incoming connection to 155.55.55.55 (for example, which covers all your network's users) know to direct an incoming port 80 (web) request to your phone? As opposed to the many other people that would try this?
I think Vodafone UK gives individual Ips though, so you could switch provider if it matters
Click to expand...
Click to collapse
I do know what NAT is (as it always ruins everything). I was not aware that mobile connection uses NAT as I imagined that operators doesn't put their users under same ip.
I'm not hosting something that any server could, mostly access to my phone:
files, sms, remote usage etc.
So there is no way but change operator?
Mehumummo said:
I do know what NAT is (as it always ruins everything). I was not aware that mobile connection uses NAT as I imagined that operators doesn't put their users under same ip.
I'm not hosting something that any server could, mostly access to my phone:
files, sms, remote usage etc.
So there is no way but change operator?
Click to expand...
Click to collapse
T-mobile definitely uses nat, as I have tried to ssh into my phone etc. I needed to make a listen server and dial into it from the phone.
So what you are doing needs a unique ip or upnp support (which I doubt android can do). But also it needs an isp that don't block ports or anything.
We use vodafone sims for remotely connecting to remote wind farms, as it allows incoming radmin connections.
anon2122 said:
So what you are doing needs a unique ip or upnp support (which I doubt android can do).
Click to expand...
Click to collapse
I guess that no operator supports UPnP/IGD to poke holes in their NAT.
If it's only for transferring files, SwiFTP supports a proxy server that is provided by the author. SwiFTP doesn't support SSL, and I don't think that I would want to send the plain text password to my phone over the Internet.
Another possibility is a VPN from the phone to the PC or router. Than you can start a server like kWS, Android Desktop, PAW Server, I-Jetty, WebFileSystem, etc.
VPN sounds good, gonna try when I get to home.
I can get connection using vpn.
However if there are no connection for short time or phone is restarted then vpn connection goes away.
I would like it to reconnect asap but it isn't meant to be that way :/
Couldn't find anything to reconnect vpn.
I didn't try the built-in VPNs (Android 2.1), but it works fine with OpenVPN: even when changing from Wifi to 3G it reconnects after a few seconds. You need root for OpenVPN AFAIK. It works great with VillainROM 12 which comes with OpenVPN. There's a guide at the VillainROM forums.
Thanks got it working
Lol huge decrease to battery life, suppose you don't have any hints for that?
I wanted to implement the application specific VPN client in android, that is vpn connection once established should be only available to our application and rest of the apps in android device should make use of normal internet connection.
To elaborate my need more, i have an application already which connects to corporate email, files and other data from internet normally but for some security reason we need it to be go through tunnel within our application and access everything within via tunnel basically want we are looking here is security while accessing company corporate network.
Since we are new to something like this we don't have a hint on how to start what protocols to use etc (we are assuming ipsec l2tp for now), any information, hint or redirects to useful resource will be really helpful.
And between we are just looking to send and receive data over tunnel, there is nothing more or need to control computer on the network all we need is to route data through corporate firewall and should support multiple vpn servers such as cisco, microsoft etc. Can any one say how complex or how feasible to implement it.
If your goal is just for establishing a secure connection and not controlling other computers or resource on network how about going with SSL encryption.
You are asking about complexity and i assume you are naive with this technology, as per my knowledge its quite a complex and may account to as big as your present application, Here are few pointers as you may look into: Split tunneling, Low level Network protocols, feasibility of implementation depends on size of your team and their expertise level in socket programming and remember your attempting to accomplish something which is already built into most of the OS and more complex. one of our dev team worked on split tunneling for months finally gave up since client settled for non PPTP application
__________________
Dave
Current Device: Samsung Galaxy Nexus
Fed up of bricking devices
hello lads, I am interested in making Android application that can be use as VPN server, any tips where I can start from ? Is it possible ? I have not see any good topic about this in net
I just wonder why you consider an Android app as a VPN server.
Is it just a portal for a specific LAN? Or do you need a general VPN server for encrypted internet connections?
Even if you can implement basic functions of this VPN server, don't you worry about its concurrent & load capacity as a 'server'? ......
Its definitely possible but you'll have to likely root the phone first.
I turned a rooted Android phone into a VPN server by using the Linux Deploy app and UNIX tools "busy box app" then running CentOS on Linux Deploy. I installed SoftEther VPN Server on CentOS through SSH on the phone.
I wrote about it in a forum. If you google "Turn a flashed to verizon phone into vpn server" it will come up in Aspkin forum and you can see me work through it.
This way is 100% free and SoftEther will tunnel straight through a firewall using port 443 unlike any paid app so you can leave the phone hidden anywhere connected to WiFi and as long as you use SoftEther Client and the DNS host name to connect to the server. It wont work if you use a openVPN or L2TP/IPsec client without opening ports on the router of the wifi connection, or the server IP address (which would be a local ip if connected to wifi hidden somewhere).
Click to expand...
Click to collapse
James_Watson said:
I just wonder why you consider an Android app as a VPN server.
Is it just a portal for a specific LAN? Or do you need a general VPN server for encrypted internet connections?
Even if you can implement basic functions of this VPN server, don't you worry about its concurrent & load capacity as a 'server'? ......
Click to expand...
Click to collapse
Thank you for your reply. I just want to make a VPN server that uses a mobile network and accepts connection from 1 device(concurrent or load capacity or encryption does not matter). It is a small part of my application and not for commercial use. so, everything is possible, to root a device or another way to do my goal.