It seems that the only Cisco products that Nokia officially supports are the Cisco VPN 3000 Series Concentrators. However with a little help from Nokia I did succeed in making Nokia VPN client work with PIX 6.3(5). So I decided to post some instructions.
In PIX I used a simple configuration with pre-shared keys, DES, MD5 and Diffie-Hellman goup 2, but Nokia's client supports also the alternatives (3DES, AES, SHA-1, 1536-bit groups, NAT-Traversal etc.).
The hard part is the phone and the hardest part was finding how you should begin. Basically you'll need:
- Nokia Communicator 9500/9300(i) - Nokia PC Suite program for your Communicator (usually comes with the phone) - Nokia VPN Client for your Communicator (downloadable from Nokia's pages) - MAKESIS.EXE - a command line program for creating Symbian Software Installation (SIS) files. I don't know how you can get this easily. I had to download a 127 MB Symbian SDK from http://www.forum.nokia.com to get this program (size about 300 kB). - a text editor like Notepad
Then you create three text files (below), put them in the same folder as MAKESIS.EXE, run
makesis VPN-policy-preshared-Cisco.pkg
to create the SIS installation pakage and install the pakage into your phone. Finally you create a new VPN Access Point in your phone, select the VPN policy you just installed to the new VPN Access Point and you are ready.
The contents of the files you can see below. Note that you must edit the .pol file to match the configuration of your PIX. I have added comments to the .pol file and marked them with a star (*). Remove the comments.
--- VPN-policy-preshared-Cisco.pin
[POLICYNAME] VPN Policy [POLICYDESCRIPTION] VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0. [POLICYVERSION] 1.1 [ISSUERNAME] Do not edit [CONTACTINFO] Do not edit
VPN-policy-preshared-Cisco.pol
SECURITY_FILE_VERSION: 3 [INFO] VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0. [POLICY] sa ipsec_1 = { esp encrypt_alg 12 * 2=DES, 3=3DES, 12=AES max_encrypt_bits 256 * needed only for AES, remove if not auth_alg 3 * 2=MD5, 3=SHA-1 identity_remote 0.0.0.0/0 * remote network pfs * can be removed if PFS is not in use src_specific hard_lifetime_bytes 0 hard_lifetime_addtime 3600 hard_lifetime_usetime 3600 soft_lifetime_bytes 0 soft_lifetime_addtime 3600 soft_lifetime_usetime 3600 }
remote 0.0.0.0 0.0.0.0 = { ipsec_1(123.45.67.89) } * remote network and address of the PIX inbound = { } outbound = { }
[IKE] ADDR: 123.45.67.89 255.255.255.255 * PIX MODE: Aggressive * other is MAIN SEND_NOTIFICATION: TRUE ID_TYPE: 11 * do not touche FQDN: PreSharedGroup * name of the vpngroup GROUP_DESCRIPTION_II: MODP_1536 * for DH group 2 use 1024 USE_COMMIT: FALSE IPSEC_EXPIRE: FALSE SEND_CERT: FALSE INITIAL_CONTACT: FALSE RESPONDER_LIFETIME: TRUE REPLAY_STATUS: TRUE USE_INTERNAL_ADDR: FALSE USE_NAT_PROBE: FALSE * do not touche ESP_UDP_PORT: 0 * do not touche NAT_KEEPALIVE: 60 USE_XAUTH: TRUE * true or false USE_MODE_CFG: TRUE * true or false REKEYING_THRESHOLD: 90 PROPOSALS: 1 ENC_ALG: AES256-CBC * I used DES-CBC AUTH_METHOD: PRE-SHARED HASH_ALG: SHA1 GROUP_DESCRIPTION: MODP_1536 * for DH group 2 use 1024 GROUP_TYPE: DEFAULT LIFETIME_KBYTES: 0 LIFETIME_SECONDS: 28800 PRF: NONE PRESHARED_KEYS: FORMAT: STRING_FORMAT KEY: 8 password * the number is the lenght of the password
VPN-policy-preshared-Cisco.pkg
; ; A VPN POLICY PACKAGE ;
; LANGUAGES ; - None (English only by default)
; INSTALLATION HEADER ; - Only one component name is needed to support English only ; - UID is the UID of the VPN Policy Installer application #{"VPN Policy"},(0x1000597E),1,0,0,TYPE = SISCONFIG
; Policy-information file ; - NOTE: The policy-information file MUST be the last file in this ; list! ; - FM (FILEMIME) passes the file to the respective MIME handler ; (in this case, the VPN Policy Installer ; application). "VPN-policy-preshared-Cisco.pin"-"C:\System\Data\Security\Install\VPN-policy-preshared-Cisco.pin", FM, "application/x-ipsec-policy-info"
Thank you for good description! I have some questions. You are saying that "However with a little help from Nokia I did succeed in making Nokia VPN client work with PIX 6.3(5)."
Sorry, I am not so familiar with this.
What is this PIX 6.3(5)? Is it: a) the software installed on computer; b) the network hardware to connect computer; c) some kind of Firmware version for Cisco hardware.
I have checked on the Internet and it looks like that "Pix 6.3(5)" is a firmware version for some Cisco hardware, like PIX Firewall Models 501, 506E, 515/515E, 520, 525, 535. So, I guess the right answer is "C".
Am I right on that? Does it means that in order to use the described above solution on the Nokia phone user will need to have the special network hardware, Cisco Pix Firewall, to be exact?
Where can I buy that hardware and what is the probable minimal price tag? I have visited Cisco website, they don't have prices and offering to fill up some forms for price quote.
If you would like to report an abuse of our service, such as a spam message, please . Если Вы хотите пожаловаться на содержимое этой страницы, пожалуйста .
