Hi, It has been a while since I tested Nokia VPN with S60 3.1 phone, but back then I was able to get it work.
In this kind of situation, there are few steps I would do: First I would download the latest versions of the Nokia mobile VPN client and the policy tool from: http://europe.nokia.com/support/download-software/nokia-mobile-vpn And then I would try to narrow down the problem by first trying to get the configuration work with simple PSK authentication. When this is working I would go on and try to get the certs to work. Symbian phones has been known to be bit picky about the certs. So this way you might be able to isolate the problem a bit and then figure out some work around. Regards, Simo Quoting Robert Markula <[email protected]>: > Hi, > I'm currently banging my head against the wall in trying to get a Nokia > E71 (Nokia VPN Client 3.1) connect to strongswan 4.2.9. It fails with > the following error on the Symbian VPN Client Log: > > Error: Failed to activate VPN access point 'VPN nokia', reason code -15 > > As far as I can see, the tunnel is built just fine, it's just the Nokia > that's freaking out. Sooo... maybe someone from the nokia front here who > can give me a tip in the right direction? > > Btw, the whole thing with the exact same certificates is working > perfectly with the Strongswan NetworkManager Plugin. > > Have a nice weekend, > Robert > > > This is the serverside config I'm using: > > /etc/ipsec.conf: > <snip> > config setup > # charondebug="ike 2, cfg 2, knl 2, dmn 2" > plutostart=no > > ca strongswan > cacert=/etc/ssl/test.com/cacerts/cacert.pem > crluri=file://localhost/etc/ssl/test.com/crls/crl.pem > auto=add > > conn roadwarrior > left=%any > leftsubnet=192.168.0.0/24 > leftcert=/etc/ssl/test.com/certs/vpn_cert.pem > [email protected] > right=%any > rightsourceip=10.38.241.0/24 > keyexchange=ikev2 > </snip> > > The phone settings were done using the rather nice (german) tutorial > from [1]. The actual Settings in the "Nokia Mobile VPN Client Tool" were: > > <snip> > Policy name: Home intern > VPN gateway address: sun.dyndns.org > IKE mode: IKEv2 > Authentication method: RSA_SIGNATURES > Identity type: > Remote ID type: > Certificate: > Private key: > Subject DN suffix: > RFC822NAME (FQDN): > Key length: 1024 > Format: BIN > Data: [cacert.pem] > PKCS file: [nokia.p12] > VPC file: > </snip> > > [1] http://mopoinfo.vpn.uni-freiburg.de/node/80 > > And below is the relevant output of /var/log/daemon.log (all IP > addresses and domains are purely fictional) - for better readability > please see http://paste.debian.net/54362/: > > <snip> > Dec 18 12:10:16 sun charon: 01[JOB] spawning 16 worker threads > Dec 18 12:10:16 sun charon: 03[CFG] received stroke: add ca 'strongswan' > Dec 18 12:10:16 sun charon: 03[LIB] loaded certificate file > '/etc/ssl/test.com/cacerts/cacert.pem' > Dec 18 12:10:16 sun charon: 03[CFG] added ca 'strongswan' > Dec 18 12:10:16 sun charon: 03[CFG] received stroke: add connection > 'roadwarrior' > Dec 18 12:10:16 sun charon: 03[CFG] left nor right host is our side, > assuming left=local > Dec 18 12:10:16 sun charon: 03[LIB] loaded certificate file > '/etc/ssl/test.com/certs/vpn_cert.pem' > Dec 18 12:10:16 sun charon: 03[CFG] peerid sun.test.com not confirmed > by certificate, defaulting to subject DN > Dec 18 12:10:16 sun charon: 03[CFG] added configuration 'roadwarrior': > %any[C=DE, ST=AB, L=Test, O=Test, OU=IT Department, > CN=vpn.test.com]...%any[%any] > Dec 18 12:10:16 sun charon: 03[CFG] adding virtual IP address pool > 'roadwarrior': 10.38.241.0/24 > > #### now the fun begins #### > > Dec 18 12:11:30 sun charon: 12[NET] received packet: from > 80.xxx.xxx.xxx[13054] to 192.168.0.1[500] > Dec 18 12:11:30 sun charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE > No N(NATD_S_IP) N(NATD_D_IP) ] > Dec 18 12:11:30 sun charon: 12[IKE] 80.xxx.xxx.xxx is initiating an IKE_SA > Dec 18 12:11:30 sun charon: 12[IKE] local host is behind NAT, sending > keep alives > Dec 18 12:11:30 sun charon: 12[IKE] remote host is behind NAT > Dec 18 12:11:30 sun charon: 12[IKE] sending cert request for "C=DE, > ST=AB, L=Test, O=Test, OU=IT Department, CN=ca.test.com" > Dec 18 12:11:30 sun charon: 12[ENC] generating IKE_SA_INIT response 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > Dec 18 12:11:30 sun charon: 12[NET] sending packet: from > 192.168.0.1[500] to 80.xxx.xxx.xxx[13054] > Dec 18 12:11:31 sun charon: 13[NET] received packet: from > 80.xxx.xxx.xxx[41035] to 192.168.0.1[4500] > Dec 18 12:11:31 sun charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT > N(INIT_CONTACT) CERTREQ AUTH CP SA TSi TSr ] > Dec 18 12:11:31 sun charon: 13[IKE] received cert request for "C=DE, > ST=AB, L=Test, O=Test, OU=IT Department, CN=vpn.test.com" > Dec 18 12:11:31 sun charon: 13[IKE] received end entity cert "C=DE, > ST=AB, L=Test, O=Test, OU=IT Department, [email protected]" > Dec 18 12:11:31 sun charon: 13[CFG] using certificate "C=DE, ST=AB, > L=Test, O=Test, OU=IT Department, [email protected]" > Dec 18 12:11:31 sun charon: 13[CFG] using trusted ca certificate > "C=DE, ST=AB, L=Test, O=Test, OU=IT Department, CN=ca.test.com" > Dec 18 12:11:31 sun charon: 13[CFG] checking certificate status of > "C=DE, ST=AB, L=Test, O=Test, OU=IT Department, [email protected]" > Dec 18 12:11:31 sun charon: 13[CFG] fetching crl from > 'file://localhost/etc/ssl/test.com/crls/crl.pem' ... > Dec 18 12:11:31 sun charon: 13[LIB] L0 - certificateList: ASN1 tag 0x30 > expected, but is 0x2d > Dec 18 12:11:31 sun charon: 13[LIB] failed to create a builder for > credential type CRED_CERTIFICATE, subtype (2) > Dec 18 12:11:31 sun charon: 13[CFG] crl fetched successfully but parsing > failed > Dec 18 12:11:31 sun charon: 13[CFG] certificate status is not available > Dec 18 12:11:31 sun charon: 13[IKE] authentication of 'C=DE, ST=AB, > L=Test, O=Test, OU=IT Department, [email protected]' with RSA signature > successful > Dec 18 12:11:31 sun charon: 13[CFG] found matching peer config > "roadwarrior": C=DE, ST=AB, L=Test, O=Test, OU=IT Department, > CN=vpn.test.com...%any with prio 2.2 > Dec 18 12:11:31 sun charon: 13[IKE] authentication of 'C=DE, ST=AB, > L=Test, O=Test, OU=IT Department, CN=vpn.test.com' (myself) with RSA > signature successful > Dec 18 12:11:31 sun charon: 13[IKE] scheduling reauthentication in 10217s > Dec 18 12:11:31 sun charon: 13[IKE] maximum IKE_SA lifetime 10757s > Dec 18 12:11:31 sun charon: 13[IKE] IKE_SA roadwarrior[1] established > between 192.168.0.1[C=DE, ST=AB, L=Test, O=Test, OU=IT Department, > CN=vpn.test.com]...80.xxx.xxx.xxx[C=DE, ST=AB, L=Test, O=Test, OU=IT > Department, [email protected]] > Dec 18 12:11:31 sun charon: 13[IKE] peer requested virtual IP %any > Dec 18 12:11:31 sun charon: 13[IKE] assigning virtual IP 10.38.241.1 to peer > Dec 18 12:11:31 sun charon: 13[IKE] CHILD_SA roadwarrior{1} established > with SPIs c7347aae_i 27c296e8_o and TS 192.168.0.0/24 === 10.38.241.1/32 > Dec 18 12:11:31 sun charon: 13[ENC] generating IKE_AUTH response 1 [ IDr > AUTH CP SA TSi TSr N(AUTH_LFT) ] > Dec 18 12:11:31 sun charon: 13[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:11:51 sun charon: 15[IKE] sending keep alive > Dec 18 12:11:51 sun charon: 15[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:12:11 sun charon: 17[IKE] sending keep alive > Dec 18 12:12:11 sun charon: 17[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:12:31 sun charon: 08[IKE] sending keep alive > Dec 18 12:12:31 sun charon: 08[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:12:51 sun charon: 09[IKE] sending keep alive > Dec 18 12:12:51 sun charon: 09[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:13:11 sun charon: 10[IKE] sending keep alive > Dec 18 12:13:11 sun charon: 10[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:13:31 sun charon: 11[IKE] sending keep alive > Dec 18 12:13:31 sun charon: 11[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > Dec 18 12:13:51 sun charon: 12[IKE] sending keep alive > Dec 18 12:13:51 sun charon: 12[NET] sending packet: from > 192.168.0.1[4500] to 80.xxx.xxx.xxx[41035] > </snip> > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
