News Profile Code Photography Looking Glass Projects System Statistics Uncategorized
Present Location: News >> Blog >> Nokia E71 VPN

Blog
> Nokia E71 VPN
Posted by prox, from North Brunswick, on November 30, 2008 at 16:55 local (server) time

So, I got the VPN software preloaded on the Nokia E71 to work with my NetScreen-5GT!  I had to use the crummy Windows utility to create the VPN policy - but it's only a one-time task.  Here's a dump of the goodness:

einstein-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000003<   32.142.82.180  500 esp:a128/sha1 3593aefb  1999 unlim I/I    17 0
00000003>   32.142.82.180  500 esp:a128/sha1 29b89b2a  1999 unlim I/I    18 0
einstein-> get sa id 0x00000003
index 0, name Prolixium, peer gateway ip 32.142.82.180. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<17> out:<18> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 3, peer id 0, NSRP Local.     dialup, original.   site-to-site. Local interface is untrust <71.75.169.196>.
  esp, group 2, a128 encryption, sha1 authentication
  autokey, IN inactive, OUT inactive
  monitor<0>, latency: 0, availability: 0
  DF bit: clear 
  app_sa_flags: 0x2400030
  proxy id: local 10.3.0.0/255.255.0.0, remote 10.157.55.244/255.255.255.255, proto 0, port 0
  ike activity timestamp: 1495567630
  DSCP-mark : disabled
nat-traversal map not available
incoming: SPI 3593aefb, flag 00004000, tunnel info 40000003, pipeline
  life 3600 sec, 2014 remain, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 1023 seconds
  next pak sequence number: 0x0
  bytes/paks:30412/208; sw bytes/paks:30412/208
outgoing: SPI 29b89b2a, flag 00000000, tunnel info 40000003, pipeline
  life 3600 sec, 2014 remain, 0 kb, 0 bytes remain
  anti-replay off, idle timeout value <0>, idled 1023 seconds
  next pak sequence number: 0x132
  bytes/paks:58224/306; sw bytes/paks:58224/306

NAT-T isn't being used - just straight ESP over IP/50, which is interesting.  I believe all Internet access through AT&T's network egresses through several Juniper ISG 2000s.  So, they probably have a special DIP configured w/out port-xlate for traffic that doesn't work well with port translation (at least for the the MEdia Net plan, that doesn't assign out publicly-routable addresses).  Judging from the above, my internal address is apparently 10.157.55.244, which gets translated to 32.142.82.180.

I used a policy-based VPN, since I didn't want to deal with XAUTH or IP pools, just yet.  Maybe I'll write a document on this, after I'm all done playing with it …

> Add Comment

New comments are currently disabled for this entry.

XHTML 1.0 ValidCSS ValidRSS 2.0Powered by FreeBSDIPv4 This HTML for this page was generated in 0.000 seconds.