Suggested Reading
The following articles may also be of interest
- Connecting to the office securely from a Windows Mobile PDA
- Microsoft to shut down Windows Marketplace and My Phone Service for Windows Mobile 6.x
- Setting a Windows Mobile Pocket PC device to 2G only mode
- Performing a manual roam on Windows Mobile Smartphone
- Performing a manual roam on Windows Mobile Pocket PC
Keywords
Articles
Click on a title link below to expand or collapse a section. Double click a title link to follow it. Access the Blog.
Popular Articles
Today's:
All time:
Last viewed:
- Installing the Huawei E367 USB 3G Modem on Windows
- Texdro for Android - send SMS messages from your desktop
- Motorola ET1 Enterprise Tablet
- New Maintenance Releases available for BlackBerry Enterprise Server
- Installing the Sierra Wireless AirCard 319U on Windows
- Configuring the Huawei E5832 / E5830 (iMo)
Popular Downloads
Configuring VPN access from Windows Mobile 6 to Windows Server 2003 / 2008
Windows Mobile 6 devices have an L2TP/IPSec-capable VPN client as part of the WM6 operating system that can natively connect to the Routing and Remote Access Service on Windows Server 2003 to provide a secure connection to a corporate LAN.
There are a number of factors to be aware of when configuring VPN connections from mobile devices.
Network Address Translation (NAT)
Mobile devices are typically assigned private, or 'non-routable', IP addresses by the mobile network operator when they connect to the Internet, with the MNO performing NAT at the GGSN: the gateway node between the mobile network and the Internet.
IPSec-based VPN connections are not able to traverse a NAT gateway as the act of changing the packet's source address makes the checksum calculated from the original IP header no longer match the new header. The VPN server therefore assumes that the packet has been tampered with in some way (which of course, it has been) and discards it, causing the client to not be authenticated.
This is only a problem if an Authentication Header is being used to create the IPSec packet. L2TP VPN connections do not suffer from this, but are correspondingly less secure.
One method of getting past this issue of 'NAT Traversal' whilst still employing IPSec, is to create the IPSec packet header using UDP rather than TCP: UDP packet headers not having a source address, only a destination header. This does require that both the VPN client and the VPN server support 'NAT-T'. Both WM6 and Server 2003 support NAT Traversal.
Some mobile network operators do provide specific access points for users wishing to establish VPN connections from their mobile devices. These access points provide client devices with public, or routable, IP addresses meaning that no NAT is being performed, thus enabling IPSec to function properly. The ability to access these VPN access points requires that the service be activated on the SIM.
Addressing scheme
It is also important to know the IP address range that your mobile devices will be assigned by the mobile network operator. Typically MNOs assign addresses in the range 10.x.x.x or 172.16.x.x
If this address range is also the range that is being used by the VPN server to allocate addresses to connected clients, then the client will connect to the VPN, but will then not be able to route data correctly. Therefore the addressing scheme used by the VPN server needs to be different.
Firewalls
In order to connect to the VPN server, the following ports will need to be open on any firewalls between the VPN server and the Internet:
UDP 500 (IKE) UDP 4500 (ISAKMP)
Configuring Windows Server 2003
Add the Routing and Remote Access role within the Server Manager if not installed already, and select the option to install VPN access with NAT.
Launch the Routing and Remote Access MMC snap-in. Right click on the entry for the server and select Properties. Click on the Security tab:
Tick the option to Allow custom IPSec policy for L2TP connection and enter a pre-shared key.
A DHCP server will need to be available in order to assign IP addresses to connecting VPN clients (unless you are using static addresses on your clients). The DHCP service can be installed on the VPN server itself. Within the MMC snap-in configure the address of the DHCP Relay Agent, this can be the localhost address if DHCP is running locally.
Within the NAT section, open the properties of the network interface that is acting as the VPN adapter. Click on the Services and Ports tab:
If your client device is connecting from behind a NAT gateway, then ensure that the option to use IP Security (IKE NAT Traversal) is enabled.
Finally, within the properties of the user account itself within Active Directory, enable VPN access on the Dial In tab.
Configuring the Windows Mobile 6 client
NOTE - the client will need a connection to the Internet in order to be able to access the VPN server, this guide assumes you have configured this correctly already.
Tap on Start and select Settings
Tap on the Connections tab at the bottom of the screen
Tap on the Connections icon
In the My Work Network section, tap on the option to Add a new VPN server connection
Enter a name for the connection and select L2TP/IPSec as the protocol
Enter the external DNS name or IP address of the VPN server
Select the option to use a pre-shared key and enter the same key that you entered on the Server 2003 machine
Tap Finish
If all has gone according to plan, you should now be able to connect to the VPN server:
Printer-friendly version- 25423 reads
- Stumble
PDF version
Twitter Feed
| BlackBerry Technical Solution Center - New Features of BlackBerry Internet Service 4.1 - http://t.co/cGVnn9Uh | 0 sec ago |
| Introducing the Option Icon XYfi: the world's smallest personal hotspot - http://t.co/Qp8CYGW3 | 10 hours 1 min ago |
| Microsoft Exchange Blog - Exchange ActiveSync client connectivity in Office 365 - http://t.co/RIoCy0qU | 11 hours 26 min ago |
| ZTE Tania User Guide added to the File Library - http://t.co/LVLt8rSo Direct Link - https://t.co/9S0f0aiM | 11 hours 36 min ago |
| Inside Windows Live - Connect your Android device to SkyDrive with OneNote and other apps - http://t.co/p5S1J89S | 15 hours 5 min ago |
| Inside BlackBerry - Groupon app for BlackBerry Smartphones and BlackBerry PlayBook - http://t.co/cD6vRdfX | 1 day 1 hour ago |
| The Official Google Blog - Introducing Chrome for Android - http://t.co/JWF3XAmg | 1 day 1 hour ago |
| Inside BlackBerry - How to send and receive files via NFC on BlackBerry OS 7.1 using BlackBerry Tag - http://t.co/Qaw35iGX | 1 day 12 hours ago |
| Your new BrightPoint OnLine launched - http://t.co/8FT623gl | 1 day 12 hours ago |
| The Next Web - Microsoft is bringing Dynamics CRM to every mobile platform in Q2 - http://t.co/iUtoH74u | 2 days 5 hours ago |
- 1 of 7
- ››
