Reply
Thread Tools
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#21
Originally Posted by too View Post
Developer mode is enough -- when developer mode is enabled
developers can install software to have the same credentials
as ovi store provides -- without developer mode users are
restricted to 'unknown origin' credentials if software is not
installed from ovi store.
Thats a false statement, developer mode does not allow you to install with same credentials that ovi store provides. (Only if you have R&D certificate, which normal users don't have). In open mode you can use AEGIS_FIXED_ORIGIN to install with any origin.

Developer mode only adds develsh shell that has same capabilities that ovi origin has, and you have to run develsh with aegis-exec if you want to run with those credentials.
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
 
too's Avatar
Posts: 122 | Thanked: 135 times | Joined on Dec 2009 @ Helsinki
#22
Originally Posted by n9mo View Post
one more question:
i filled in the config fields and clicked SAVE.
all good but now with every new start of VPN9C, the password field is empty and the LOAD button gives me
'Importing ... failed: No such file or dir'
Since then, there is no save button anymore... i gotta fill in the password each time

is this a known bug or is it just mine gone waco and there is a way i can reinitialize things again?
There is always tradeoff between security and convenience; to make
things simple to the developer (me, that is) the password is never
read from .pcf file, it is never saved to the configuration file and
the .pcf file is unlinked (*) after the file is read.

So, every time the gui is restarted password field is empty.
If password is written in the configuration field then it is
remembered as long as the gui is running -- popup requesting
the password in case passwd is empty does not make password
remembered.

I think I need to add some more instructions...

(*) the unlinking of the .pcf is not so much about security feature
(as the data is still on flash disk) but about avoiding accident
reading the .pcf again...

Tomi
 
too's Avatar
Posts: 122 | Thanked: 135 times | Joined on Dec 2009 @ Helsinki
#23
Originally Posted by rainisto View Post
Thats a false statement, developer mode does not allow you to install with same credentials that ovi store provides. (Only if you have R&D certificate, which normal users don't have). In open mode you can use AEGIS_FIXED_ORIGIN to install with any origin.

Developer mode only adds develsh shell that has same capabilities that ovi origin has, and you have to run develsh with aegis-exec if you want to run with those credentials.

The point of developer mode is that developers can test their
software using (sub)set of the capabilities ovi store provides before
submitting to the ovi store.

Developers don't have devices with R&D certificate.

vpnc.sh requests the following:
<aegis>
<request>
<credential name="CAP::kill" /> <!-- for pinging dnsmasq -->
<credential name="CAP::net_bind_service" />
<credential name="CAP::net_admin" />
<credential name="CAP::net_raw" />

<for path="/opt/vpn9c/bin/vpnc.sh" />
</request>
</aegis>

And it will get those if developer mode is activated -- In my
tests and whoever installs this package when developer mode
is enabled.

When I've started vpnc I get this on terminal:

/home/developer $ accli -I -p $(pgrep vpnc)
Credentials:
UID::user
GID::users
CAP::kill
CAP::net_bind_service
CAP::net_admin
CAP::net_raw
AID::.vpn9c.
vpn9c::vpn9c

(When running from meego-terminal, as 'user' the same output is produced)

I don't have R&D certificate nor open mode device. I Installed
the sw hundreds of times during development using

$ pkgmgr install-file -f vpn9c_*.deb

on command line.
 
Posts: 13 | Thanked: 8 times | Joined on Jun 2012
#24
Originally Posted by Scharel View Post
Just enter youre IPsec data and press Start. That's it.
Would be VERY happy if it would be as easy as this. As VPN is the ONLY feature I miss to get my N9 to be the most complete Nokia I ever owned. So I tried since I first read this thread to get VPN9C running on my N9 - my server is a "FRITZBox" - product that dominates the router/modem/voip market in Germany.

The config file on the server looks like this:

Code:
connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "N9@nokia.de";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 192.168.174.205;
                remoteid {
                        key_id = "N9@nokia.de";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "alt/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "keykeykey";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = yes;
                xauth {
                        valid = yes;
                        username = "nokia@N9.de";
                        passwd = "secret";
                }
                use_cfgmode = yes;
                phase2localid {
                        ipnet {
                                ipaddr = 0.0.0.0;
                                mask = 0.0.0.0;
                        }
                }
                phase2remoteid {
                        ipaddr = 192.168.174.205;
                }
                phase2ss = "esp-all-all/ah-all/comp-all/no-pfs";
                accesslist = 
                             "permit ip 192.168.174.0 255.255.255.0 192.168.174.205 255.255.255.255", 
                             "permit ip any 192.168.174.205 255.255.255.255";
The data of my VPN9C Configuration are:

Gateway: My.Dyndnsadress
Group name: N9@nokia.de
Group Pwd: keykeykey
Username: nokia@N9.de
Password: secret
Domain: Dyndnsadress

When I try to connect I get back. "vpnc: response was invalid [2]: (ISAKMP_N_....)"

On the server GUI I can see at the same time: "vpn N9: connecting N9@nokia.de"

Can someone help to find and eventually correct the error(s) of my configuration? I would really be VERY grateful!

A VPN connection to the same server with a Symbian NOKIA (701) works perfect - the 701 vpn client was configured with NOKIA's Mobile VPN Client Tool

Last edited by imagomundi; 2012-08-25 at 23:20.
 
too's Avatar
Posts: 122 | Thanked: 135 times | Joined on Dec 2009 @ Helsinki
#25
Originally Posted by imagomundi View Post

...

The data of my VPN9C Configuration are:

Gateway: My.Dyndnsadress
Group name: N9@nokia.de
Group Pwd: keykeykey
Username: nokia@N9.de
Password: secret
Domain: Dyndnsadress

When I try to connect I get back. "vpnc: response was invalid [2]: (ISAKMP_N_....)"

On the server GUI I can see at the same time: "vpn N9: connecting N9@nokia.de"

Can someone help to find and eventually correct the error(s) of my configuration? I would really be VERY grateful!

A VPN connection to the same server with a Symbian NOKIA (701) works perfect - the 701 vpn client was configured with NOKIA's Mobile VPN Client Tool
Apologies for being lazy and not changing that error message
multiline before first release. The full message is available
in file /var/run/vpnc/message -- Please dig it and send here
for further inspection.
 
Posts: 13 | Thanked: 8 times | Joined on Jun 2012
#26
$ /var/run/vpnc/message

get message:

-/bin/sh: /var/run/vpnc/message: Permission denied

same message (Permission denied) entering command as root (devel-su)

As to the message itself: I know from Android forum that they had to do some changes in vpnc client configuration concerning life time of Sa (FRITZBox as vpn server allows only 3600 sec - I do always have to change the default value of 86400 to 3600 when configuring a client file with Nokia's own vpn configuration tool) and another IKE-related data.

Thanks for your help!
 

The Following User Says Thank You to imagomundi For This Useful Post:
too's Avatar
Posts: 122 | Thanked: 135 times | Joined on Dec 2009 @ Helsinki
#27
It is not an executable. Enter

cat /var/run/vpnc/message

on command line.

It is interesting that the lifetime of security association are just
not negotiated... Is there some security issues there ?
I'll look whether it is configurable in vpnc.
 
Posts: 13 | Thanked: 8 times | Joined on Jun 2012
#28
after "cat" log now says:

response was invalid[2]: (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1)


Other issue/idea: FRITZBox only accepts "aggressive" as mode in phase 1 - does not load vpn config when I change this to "main"

To get vpnc running on Android device connecting to FRITZBox as vpn server the value in vpnc "nat-t-ike-02" (cd60464335df21f87cfdb2fc68b6a448 in binary) had to be changed to "nat-t-ike-03" (binary: 7d9419a65310ca6f2c179d9215529d56) by patching the vpnc binary

Hope this helps to help me (and all N9 FRITZBox users that need VPN)

Thanks again

Last edited by imagomundi; 2012-08-29 at 01:30.
 

The Following User Says Thank You to imagomundi For This Useful Post:
too's Avatar
Posts: 122 | Thanked: 135 times | Joined on Dec 2009 @ Helsinki
#29
Originally Posted by imagomundi View Post
after "cat" log now says:

response was invalid[2]: (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1)


Other issue/idea: FRITZBox only accepts "aggressive" as mode in phase 1 - does not load vpn config when I change this to "main"

To get vpnc running on Android device connecting to FRITZBox as vpn server the value in vpnc "nat-t-ike-02" (cd60464335df21f87cfdb2fc68b6a448 in binary) had to be changed to "nat-t-ike-03" (binary: 7d9419a65310ca6f2c179d9215529d56) by patching the vpnc binary
Ok, I can find that in the source:
Code:
const unsigned char VID_NATT_02[] = { /* "draft-ietf-ipsec-nat-t-ike-02" */
        0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
        0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48
};
As you know so much, can you also dig the exact configuration
file that Android vpnc client uses. For reference, the current
configuration vpn9c feeds to vpnc is:
Code:
IPSec gateway %s
IPSec ID %s
IPSec secret %s
IKE AuthMode psk
IKE DH Group dh2
Xauth username %s
Xauth password %s
Domain %s
This helps to provide a special image for you to test this --
without too many testing round-trips...

Originally Posted by imagomundi View Post

Hope this helps to help me (and all N9 FRITZBox users that need VPN)

Thanks again
 

The Following User Says Thank You to too For This Useful Post:
Posts: 38 | Thanked: 24 times | Joined on Aug 2012 @ Zürich, Switzerland
#30
Thanks Man!

This is one of the final apps i was missing. I bricked my phone several times trying to get vpnc to work by the terminal, but your solution is just simply better.

Looking forward to the next or final release!

Keep up the good work,
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 13:16.