Database Users

VPN Client For Cisco Concentrator

While I was looking for a *working* VPN client solution to work with a Cisco concentrator, I found a couple of potential solutions:
1. Bluefire VPN client (http://www.bluefiresecurity.com/)
2. AnthaVPN (http://www.anthavpn.com/webmaker/portal/wmlink_360)
Both claim to work with the Cisco concentrator (3000 series to be precise). Before I go ahead and install either/both on my MDA Pro (with Imate ROM), I was wondering if anyone had any good/bad things to say about the software?
Any help would be appreciated.

here's an update:
I went ahead and installed the BlueFire VPN client. In general, the installation was a breeze. The UI is also nice and elegant. The configuration isn't too obtruse, either, except I can't get it to work with my Cisco concentrator! It would authenticate with the server fine, but would always choke on "IKE phase 2", which I think is when the client and server negotiate on the IPSec security association (SA) parameters.
I've tried several combination of IPSec configuration on both client and server to no avail. The server throws the following error on every login attempt:
39019 03/29/2006 14:04:59.840 SEV=4 IKE/0 RPT=575 192.168.51.120
Group [***obfuscated***] User [***obfuscated***]
All IPSec SA proposals found unacceptable!
Anyone got any suggestions on how to get around this?

rukna said:
here's an update:
I went ahead and installed the BlueFire VPN client. In general, the installation was a breeze. The UI is also nice and elegant. The configuration isn't too obtruse, either, except I can't get it to work with my Cisco concentrator! It would authenticate with the server fine, but would always choke on "IKE phase 2", which I think is when the client and server negotiate on the IPSec security association (SA) parameters.
I've tried several combination of IPSec configuration on both client and server to no avail. The server throws the following error on every login attempt:
39019 03/29/2006 14:04:59.840 SEV=4 IKE/0 RPT=575 192.168.51.120
Group [***obfuscated***] User [***obfuscated***]
All IPSec SA proposals found unacceptable!
Anyone got any suggestions on how to get around this?
Click to expand...
Click to collapse
Did you uncheck PFS (Perfect forward secrecy) flag ? I can connect with this flag unchecked and compression algorithm=none

rukna said:
here's an update:
I went ahead and installed the BlueFire VPN client. In general, the installation was a breeze. The UI is also nice and elegant. The configuration isn't too obtruse, either, except I can't get it to work with my Cisco concentrator! It would authenticate with the server fine, but would always choke on "IKE phase 2", which I think is when the client and server negotiate on the IPSec security association (SA) parameters.
I've tried several combination of IPSec configuration on both client and server to no avail. The server throws the following error on every login attempt:
39019 03/29/2006 14:04:59.840 SEV=4 IKE/0 RPT=575 192.168.51.120
Group [***obfuscated***] User [***obfuscated***]
All IPSec SA proposals found unacceptable!
Anyone got any suggestions on how to get around this?
Click to expand...
Click to collapse
Did you uncheck PFS (Perfect forward secrecy) flag ? I can connect with this flag unchecked and compression algorithm=none

Did you try the VPN client from APANI
There is a trial version for CISCO VPN 3000 Series for PDA and Mac
http://www.apani.com/vpnclients.html

italos said:
Did you uncheck PFS (Perfect forward secrecy) flag ? I can connect with this flag unchecked and compression algorithm=none
Click to expand...
Click to collapse
I tried that already, didn't work. It may just be issues with the configuration on the concentrator. I'm going to play with it this weekend to see if I get anywhere. Thanks for the reply, nonetheless.

pierrelp1 said:
Did you try the VPN client from APANI
There is a trial version for CISCO VPN 3000 Series for PDA and Mac
http://www.apani.com/vpnclients.html
Click to expand...
Click to collapse
I filled out an eval request yesterday with Apani and got the instructions to download the client this morning. I'll install it over the weekend to see if it works "out of the box". Thanks for the suggestion, dude!

It appears that Apani doesn't really support the universal. Got the following from one of their support reps. Back to the drawing board, I guess.
The Client does not support the use of Windows Mobile 5. We currently
support Windows Mobile 2003 only.
Sincerely,
Janet
Apani Networks
[email protected]
714-674-1700
Click to expand...
Click to collapse

Bluefire VPN
be careful when installing Bluefire... It is a mess if you install it on the SD card..
it's a nuisance to uninstall it... all advice i got from "Bluefire support" was to try a hard reset.... most helpfull
(apparently this problem is well explained in their "product documentation"... but no solution has been found.. yet

NCP Secure Entry Client works
Have a working environment against a CISCO-PIX with NCP
http://www.ncp.de/english/services/testsoftware/index_entry.html
=) Georg

I got the BlueFire client to work finally! I had to enable the PFS (Perfect Forward Secracy) on the concentrator along with the encryption set to 1024 bits on my group profile.
After I got past that, I got the DirectPush client to work with my exchange server! Now I can confidently say this phone has been worth it for me!

OpenVPN
FYI - I just came across this openVPN port for windows mobile and thought it might be of interest for some of you guys:
http://www.ziggurat29.com/OVPNPPCAlpha/OVPNPPCAlpha.htm
Its still in the alpha stage and is continually being worked on by the author, David G. Lemley, III

I am in the same boat - need to use IPsec VPN to connect to our corporate Exchange server.
I am testing BlueFire 2.3.0 client for more than a week now. Overall it is very good - it does its job done. But after running it extensively for a week I discovered several issues with it, mostly cosmetic, but they are really annoying. Especially, if you want to have Direct Push. Those issues are:
1. "Save credentials for auto-reauthentication" does not work - you have to enter your password every time you connect.
2. It does not reconnect on its own, if it looses the connection (i.e. EDGE/GPRS goes down temporarily)
3. Detection of disconnect is not very reliable - sometimes when you loose signal and GPRS connection wants to disconnect, it cannot do it because of VPN still thinks it is connected and prevents GPRS from reconnecting.
4. Extensive use of on-screen push-buttons instead of soft-keys. And soft-keys are mapped to rarely used functions, like About - poor interface design. It woldn't be so bad, if the VPN client was not requiring user interaction to reconnect and authenticate...
5. After several minutes of standby, it brings its window on top of Today screen, kinda like letting user know that he better check his tunnel/connection, because it could be already disconnected... In most cases it is not true, because the unit wakes half the way up every several minutes to check email or sent a heat-beat packet, which keeps connection up (this only applies to GPRS/EDGE connection and not WiFi, unfortunatelly). But sometimes the VPN tunnel becomes dead, and you have to click "Disconnect", "Connect" and enter your password again.
Ok, that is my impression about BlueFire VPN client. Now the question is - is there any better IPsec client for PPC (WM5), which allows you to have Direct Push email over IPsec all day long without your intervention to check the connection status and reconnect manually?
Thanks for your time.

Im also trying to connect to our corporate network using a vpn client.
with my laptop i usually do this with the cisco vpn client and a very simple configuration.
My target is doing the same with the universal.
I tried Bluefire VPN, and AnthaVPN.
Eventhough i tried a lot of times, i couldn't make a connection with bluefire
With Antha, the results were better. I could connect , but after installing it, wifi stop working, and the active sync, sometimes doesnt recognize the device ( i saw in this forum somebody with exactly the same problem).
Is there anybody that use Antha in Universal without problems?
I checked the official web of Antha, and universal is not supported.
Do you know any other vpn software that works with Cisco?
Thanks

VPN - CISCO

Hello : I have in my laptop a cisco vpn client. Is the only way to read my outlook exchange mail.
I have a token
http://www.dealtime.com/xPO-RSA_Security_100PK_RSA_SID_700_HW that i had to use the code with my password to get into my work network.
Ok the question is : Which aplication can do this in wm5 , like i do in my laptop with vpn cisco client.
Thnks a Lot
Luis,

i need exactly the same.
I tried AnthaVPN and Bluefire. Both claim to work with cisco concentrators.
With Bluefire i couldnt get it, but i saw in this forum people that made it work.
I think it depends on the configuration of the concentrator..so maybe you can try it.
About Antha, i could made it work, but made my wifi stop working, and i got some problems with active sync...
So for now...not very good news.

Try NCP Secure Entry Client:
http://www.ncp.de/english/services/testsoftware/index.html
Had similar problems with Antha (wireless could not be turned off any more), NCP works with our CISCOs in wireless and UMTS-dialup mode.
=) Georg

VPN Authentication Question

Does anyone know:
Is it possible to do Group Authentication with the built-in VPN client? My work network uses a Cisco VPN and I've managed to extract out of our IT department the Group name and Password but I can't figure out how to enter this onto the Exec - it offers me "A certificate on this device" or "A pre-shared key" and entering the password into the pre-shared key doesn't seem to work. Our IT department tells me that the Exec is unsupported and won't give me any help so anyone out there know how to do this?
If it's not possible, anyone recommend a good VPN client for connecting to a Cisco VPN?
Thanks
G

Anybody?
My work uses group authentication also. Does anyone know a good vpn client that will work with group authentication?

There is a Cisco ICA/Xen/client for ARM PDA here: http://www.citrix.com/English/ss/downloads/details.asp?downloadId=3607&productId=186#top
Is this what you are looking for?

interesting..
I didn't know there was a citrix client for WM. My work also uses citrix. The only problem is in order to connect with the citrix client I must have a VPN tunnel first . My work uses Cisco VPN Group Authentication. I have not yet found a VPN client for WM that will allow Cisco group authentication. If anyone knows of one, PLEASE let me know.
Thanks wovens for the citrix client. That will be neat to try if I can ever get a VPN tunnel setup.

FOUND IT!
I finally found a VPN client that will work with Cisco group authentication. It is Bluefire Mobile Security VPN. One thing I found is that after you connect you must press the END key to get out of the client because pressing the x will kill the client. Works Great!
The only problem is the company went out of business (http://www.bluefiresecurity.com). I was able to find the .cab, but not sure if it is against forum rules to post it... Can a mod please inform me, thx.

Does your company use Cisco SSL Vpn by chance? It's the way Cisco is leaning as is with less support for the ipsec since they can make more money off of licensing.
Anyhow if your company does use SSL VPN, Cisco's anyconnect client supports Windows mobile. I have been using it and it works good for what I use it for (primarily SSH, but for kicks I tried remote desktop and it worked good too).

McGeezy said:
I finally found a VPN client that will work with Cisco group authentication. It is Bluefire Mobile Security VPN. One thing I found is that after you connect you must press the END key to get out of the client because pressing the x will kill the client. Works Great!
The only problem is the company went out of business (http://www.bluefiresecurity.com). I was able to find the .cab, but not sure if it is against forum rules to post it... Can a mod please inform me, thx.
Click to expand...
Click to collapse
this website of "bluefiresecurity.com can not the opened. would u pls post it here with the cab file? thanks a lot.

BlueFire VPN Client
http://rapidshare.com/files/8640811....5.706.XScale.WM5.WM6.Regged.DIRFIX-DVTPDA.ra
There are a lot of files, rar files within zip files, but the cab for the vpn client is there, name: MobileVPN.27.5.706.ARM.PPC.Client.cab

vpn client?

hey guys,
am trying to connect to my office's VPN with my vario II. the default software provided does not seem sufficient. for one, i have one of those security key ring things which means my password changes every time i want to connect.
my pc uses cisco's vpn client...
any ideas? right now i'm just synching my exchange server with my pda using activesync, but wouldnt' midn having it on the go! there's no "external" access as such for the exchange server - it does have a web front end but its highly customized and isn't as easy as just configuring it as an external data source on my pda...

This one works perfect for me..
http://www.ncp.de/english/download/testsoftware/index.html

We use AnthaVPN at my university and it's supposed to work quite well with Cisco concentrator gateways, but be warned, if you have the latest 3.3 aku, you might run into problems like I did regarding loosing 3g internet connectivity on your hermes. However it could have just been a fluke as I didn't bother trying a fresh install of antha after a hard reset or anything since 3g is just as fast as my universities wireless internet anyways
Hope this helps

You can also try Bluefire. They have a 30 day fully functional trial version.
Find out more Here

Applestar said:
http://www.ncp.de/english/download/testsoftware/index.html
Click to expand...
Click to collapse
I have installed this but can't see any way of configuring the VPN connection. How did you configure it?

You have to use the PC client in order to create a configuration file and then transfer the file to your device

duh!
thanks!

bluefire is amazing. i bought it.

I came close to getting bluefire to work on our Cisco network... But once connected it would not transfer data.
I read on a seperate post here that alledgely the medianet unlimited plan uses the wap.cingular access point. That point is NAT based and some vpn clients do not like that... So they refuse the connection based on changing ip addresses.
I am not a networking expert so I do not know if this is in fact the case.
I do know I tried every freakin setting for bluefile and could not get a vpn tunnel from my phone to our Cisco vpn... So I gave up!

NCP
Could I get more specific infos about bluefire? They wanted a 5 page survey before they would send me a (business) trial.
Well, NCP Secure Entry VPN Client works perfect for me with Lancom and other standard firewalls. And yes, configuration is made with a Win XP Desktop Application. Nice about this: They got a Desktop VPN client as well which will be configured exactly the same way. So if you got a working setting for your Laptop you can manually copy the settings and they will work on the PPC as well - thats what I did.

Connect to schoolNetwork

Hi, I am from Sweden and this is my first post here at XDA.
I got a HTC p3600, it´s upgraded to WM 6.5 and it works awesome.
Now the problem. The WLAN works great at home and other open networks/ if i got the key.
In my school we got WLAN but i can´t connect to it. I find it in the WLAN-list but there it ends. My friend with an Iphone just select the network and then he can insert his username and password, and woila! He´s in.
When i try to connect the server wants a "Certifikat" in swedish. I have tried to do a "Domain enroll" to get it But it always fail.
I think they use Windows Server 2003.
Does anybody understand my bad language? If you wanna know any more, just tell me.

Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...

FlyBy_1 said:
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
Click to expand...
Click to collapse
Thanks for the answer!
Would it be possible to to install some kind of program from cisco to make it work?

Unfortunately Cisco doesn`t do any winmo clients, they licensed it to other companies. Tried with Root CA yesterday but that didn`t work, maybe we need a valid client cert too. Have to get a personal one from our uni CA the days.

Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.

Thanks for the suggestion. I tried with various clients, none of them worked, securew2 was among them. But maybe it works with fiddyboy.
A page mentioned some older hardware may not cope with mixed wpa modes, maybe P3600 is among them but I really don`t think so...

MAsterokki said:
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Click to expand...
Click to collapse
I am downloading now, will test it tomorrow. Thanks!
Edit: I am not getting it to work. Can someone help me with the settings?

I am sorry, but I don't know what settings to use in your specific case... These settings should be made available by your school or company, most of the time the settings for laptops will give enough information too

which rom do you use to upgrade to windows mobile 6.5

Finally got it to work. We have different WLANs here at our university. I had no luck connecting to our VPN-network so I tried our eduroam WLAN. Eduroam is a roaming network for educational purposes. If You have a login from Your uni/school/whatever You should be able to access the internet from any eduroam network worldwide.
As You said You were asked for a certificate I think Your network relies on the same technologies as ours because I had the same error before. Following explanation:
Our eduroam RADIUS server is certified.
This means our uni gave it a certificate. Our uni was certified by and got a certificate from the DFN (german research net). The DFN was certified by and got a certificate from the german Telekom.
This is called a certificate chain with the DFN as intermediary and Telekom as root certificate authority.
What I had to do is import just the root certificate (from Telekom) to my mobile device by downloading it from our unis webpage, transferring it to the Trinity and just click on it. It confirmed installation and the root ca is listed under the Settings>System>Certificates>Root.
Edit : Normal certs are with *.crt ending. MinMo wants *.cer-files. If You only can get Your hands on *.crt import them into Your PC browser, export from there with DER-encoding and rename *.der to *.cer. That`s it.
Our eduroam RADIUS server authentication is via PEAP.
So I configured the network connection like this:
connects to : internet
authentication : wpa2
data encryption : aes
eap type : PEAP
Connect. When prompted put in Your uni account credentials.
This worked on WinMo 6.1 and 6.5 Without the ValidateServerCert reghack or any other other special program.
WinMo5 failed! Also tried the ValidateServerCert reghack but it`s of no use. Think it`s because WM5 has no wpa2-aes support. If Your RADIUS allows wpa and tkip it may work.
Maybe if this doesn`t work Your server it uses something other than wpa2 or aes. Try different options. Maybe it`s not using PEAP. Ask Your admin but try with a certificate first.
The strange thing is that PEAP was used to avoid handling of certificates; it`s especially there to NOT have to fiddle with them. Anyway, this works here, hope this is the solution for Your location...

you should just buy a protable harddrive or a flash drive and transfer your files onto that and then onto your computer.

Hi, I have same problem, trying to use eduroam on CTU, my Notebook/Laptop WiFi work ok, but I can't connect with TD2 Topaz. I have instaled required certificate, but in options I have no way to set concrete RADIUS server to connect (which is required to be specified in settings on Notebook). Any ideas please? I Also installed securew2, but I can't add Cesnet CA in securew2 options, even it is installed in system (I is present in setings-certificates in WM).

When You have WinMo 6.1 You shouldn`t need securew2 and there is no need to explicitly set RADIUS IP. Have You tried eap-type : PEAP ? What`s the error message if any ?