Popular Articles
Today's:
All time:
- Using the HTC Hero as a USB Modem
- Huawei E5 (E5830 / E5832 / iMo) firmware update available
- Configuring the Huawei E5832 / E5830 (iMo)
- Synchronise the HTC Hero with Microsoft Outlook
- Setting up Mail For Exchange on the Nokia N97
- Adding VPN connections to Android 1.6 (Donut)
- Welcome
- Installing the Huawei E5832 iMo as a USB 3G Modem on MacOS
- A quick look at Android 2.1's Exchange support
- Transferring files to the HTC Desire and HTC Legend via Bluetooth
Configuring VPN access from Windows Mobile 6 to Windows Server 2003 / 2008
Windows Mobile 6 devices have an L2TP/IPSec-capable VPN client as part of the WM6 operating system that can natively connect to the Routing and Remote Access Service on Windows Server 2003 to provide a secure connection to a corporate LAN.
There are a number of factors to be aware of when configuring VPN connections from mobile devices.
Network Address Translation (NAT)
Mobile devices are typically assigned private, or 'non-routable', IP addresses by the mobile network operator when they connect to the Internet, with the MNO performing NAT at the GGSN: the gateway node between the mobile network and the Internet.
IPSec-based VPN connections are not able to traverse a NAT gateway as the act of changing the packet's source address makes the checksum calculated from the original IP header no longer match the new header. The VPN server therefore assumes that the packet has been tampered with in some way (which of course, it has been) and discards it, causing the client to not be authenticated.
This is only a problem if an Authentication Header is being used to create the IPSec packet. L2TP VPN connections do not suffer from this, but are correspondingly less secure.
One method of getting past this issue of 'NAT Traversal' whilst still employing IPSec, is to create the IPSec packet header using UDP rather than TCP: UDP packet headers not having a source address, only a destination header. This does require that both the VPN client and the VPN server support 'NAT-T'. Both WM6 and Server 2003 support NAT Traversal.
Some mobile network operators do provide specific access points for users wishing to establish VPN connections from their mobile devices. These access points provide client devices with public, or routable, IP addresses meaning that no NAT is being performed, thus enabling IPSec to function properly. The ability to access these VPN access points requires that the service be activated on the SIM.
Addressing scheme
It is also important to know the IP address range that your mobile devices will be assigned by the mobile network operator. Typically MNOs assign addresses in the range 10.x.x.x or 172.16.x.x
If this address range is also the range that is being used by the VPN server to allocate addresses to connected clients, then the client will connect to the VPN, but will then not be able to route data correctly. Therefore the addressing scheme used by the VPN server needs to be different.
Firewalls
In order to connect to the VPN server, the following ports will need to be open on any firewalls between the VPN server and the Internet:
UDP 500 (IKE) UDP 4500 (ISAKMP)
Configuring Windows Server 2003
Add the Routing and Remote Access role within the Server Manager if not installed already, and select the option to install VPN access with NAT.
Launch the Routing and Remote Access MMC snap-in. Right click on the entry for the server and select Properties. Click on the Security tab:
Tick the option to Allow custom IPSec policy for L2TP connection and enter a pre-shared key.
A DHCP server will need to be available in order to assign IP addresses to connecting VPN clients (unless you are using static addresses on your clients). The DHCP service can be installed on the VPN server itself. Within the MMC snap-in configure the address of the DHCP Relay Agent, this can be the localhost address if DHCP is running locally.
Within the NAT section, open the properties of the network interface that is acting as the VPN adapter. Click on the Services and Ports tab:
If your client device is connecting from behind a NAT gateway, then ensure that the option to use IP Security (IKE NAT Traversal) is enabled.
Finally, within the properties of the user account itself within Active Directory, enable VPN access on the Dial In tab.
Configuring the Windows Mobile 6 client
NOTE - the client will need a connection to the Internet in order to be able to access the VPN server, this guide assumes you have configured this correctly already.
Tap on Start and select Settings
Tap on the Connections tab at the bottom of the screen
Tap on the Connections icon
In the My Work Network section, tap on the option to Add a new VPN server connection
Enter a name for the connection and select L2TP/IPSec as the protocol
Enter the external DNS name or IP address of the VPN server
Select the option to use a pre-shared key and enter the same key that you entered on the Server 2003 machine
Tap Finish
If all has gone according to plan, you should now be able to connect to the VPN server:
- Printer-friendly version
- 15526 reads
Twitter Feed
| Angry Birds is coming to Android - http://twurl.nl/ig3djs | 20 min 36 sec ago |
| Orange UK launches HD voice - http://newsroom.orange.co.uk/2010/09/01/hd-voice-launches/ | 20 hours 48 min ago |
| Justin TV - stream video footage directly from your Android PDA - www.justin.tv | 1 day 5 hours ago |
| iTunes 10 available for download - http://www.apple.com/itunes/ | 1 day 5 hours ago |
- 1 of 12
- ››
