05-07-2011 02:06 AM
I'm working on setting up my Blackberry Playbook to access the network over our IPsec VPN however so far I have had no luck.
I'm also posting this on the Blackberry playbook support forum.
Thanks for any help you may give me.
Settings on BlackBerry Playbook
Server Address: My IP Address
Authentication type: XAuth-PSK
Group Username: remote.com
Group Password: (Password)
Username: PCaseyIPsec
Password: (MyPassword)
Checked Automatically Determine IP
Checked Dynamically Determine DNS
Checked Perfect Forward Secrecy
Checked Manual Algorithm Selection (also tried Unchecked on Auto)
IKE DH Group: 2
IKE Cipher: 3DES
IKE Hash: SHA1
IKE PRF: HMAC
IPsec DH Group: 2
IPsec Cipher: 3DES
IPsec Hash: SHA1
IKE Lifetime (seconds): 28800
IPsec Lifetime (seconds): 3600
NAT Keepalive (seconds): 300
DPD Frequency (seconds):240
Checked Disable Banner (also tried unchecked)
unchecked Use HTTP Proxy
Settings On RV220W
Name | Mode | Local IP | Remote IP | Encryption | Authentication | DH | ||
Sundown6 | Aggressive | local.com | remote.com | 3DES | SHA-1 | Group 2 (1024 bit) |
Status | Name | Type | Local | Remote | Authentication | Encryption | ||
Enabled | Sundown6* | Auto Policy | 192.168.0.0 / 255.255.255.0 | Any | SHA-1 | 3DES |
Logs
2011-05-07 01:39:14: [rv220w][IKE] INFO: Remote configuration for identifier "remote.com" found
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received request for new phase 1 negotiation: 76.21.2.248[500]<=>192.168.0.158[500]
2011-05-07 01:39:14: [rv220w][IKE] INFO: Beginning Aggressive mode.
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: DPD
2011-05-07 01:39:14: [rv220w][IKE] INFO: For 192.168.0.158[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 76.21.2.248[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.158[500] because it is only accepted after phase1.
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT not detected
2011-05-07 01:39:15: [rv220w][IKE] INFO: Sending Xauth request to 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: ISAKMP-SA established for 76.21.2.248[500]-192.168.0.158[500] with spi:5127c3cf75f1f5d9:f65ff6a9995200c1
2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: Login succeeded for user "PCaseyIPsec"
2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
05-09-2011 07:12 AM
Anyone at all what to tell me what the error is at least?
05-19-2011 10:14 AM
Phillip,
I am looking over your setting for both the blackberry and also the Rv220w. A few things that I do not see and I am wondering did you set these things up. First lets look at the Blackberry playbook:
Does it have the option for preshared key? if so this needs to be added
Second Rv220w setting:
Did you setup a Xauth user on the device under users?(VPN==>IPSEC Users)
Did you select Xauth on the rv220w under phase one of the tunnel to use the username and password you created. They should match the blackberry)
Did you enter a preshared key? and does it match the one that is located on the blackberry?
Sometimes you can have compatibility issues when connecting certain device together. Just make sure that you have all the fields to matchup because when connecting IPSEC it is very important that you have the same things on both sides of the IPSEC connection. This is not all the time a problem. Also I would not use aggressive mode just use main mode on the rv220w.
After making these change clear the log and see if you get different log message. The current log that you are getting is not getting pass phase 1. At this point it could be a number of things because I don't have all the information it is hard to guess when it comes to IPSEC connection.
Thanks
Quendale
05-19-2011 11:10 AM
Ok I think I need to update everyone and type up my settings I’ve tested this at my Wife’s school and a local coffee house and it worked. However I have not been able to get it working at my buildings free WIFI.
So this may not help everyone.
First the RV220W settings
Add / Edit IKE Policy Configuration
Policy Name: AnythingYouLike
Direction / Type: Responder
Exchange Mode: Aggressive
Local
Identifier Type: FQDN
Identifier: local.com
Remote
Identifier Type: FQDN
Identifier: remote.com
IKE SA Parameters
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-Shared Key
Pre-Shared Key: YourPassword
Diffie-Hellman (DH) Group: Group2(1024 bit)
SA-Lifetime: 28800 Seconds
Dead Peer Detection: Enable NotChecked
Detection Period: (Range: 10 - 999) NA
Reconnect after Failure Count: (Range: 3 - 99) NA
Extended Authentication
XAUTH Type: None
Authentication Type: NA
Username: NA
Password: NA
Add / Edit VPN Policy Configuration
Policy Name: AnythingYouLike
Policy Type: Auto Policy
Remote Endpoint: FQDN
Remote.com
NETBIOS: Enable Not Checked
Local Traffic Selection
Local IP: Subnet
Start Address: 192.168.44.0 (local ip range with 0 at end)
End Address: NA
Subnet Mask: 255.255.255.0
Remote Traffic Selection
Remote IP: Any
Start Address: NA
End Address: NA
Subnet Mask: NA
Split DNS
Split DNS: Enable NA
Domain Name Server 1: NA
Domain Name Server 2: (Optional) NA
Domain Name 1: NA
Domain Name 2: (Optional) NA
Manual Policy Parameters
SPI-Incoming: NA
SPI-Outgoing: NA
Encryption Algorithm: NA
Key-In: NA
Key-Out: NA
Integrity Algorithm: NA
Key-In: NA
Key-Out: NA
Auto Policy Parameters
SA-Lifetime: 3600
Seconds
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
PFS Key Group: Enable Checked
DH-Group 2(1024 bit)
Select IKE Policy: Select IKE Name From Above
Blackberry Playbook Settings
ProfileName AnyNameYouLike
Server Address: IPAddress (can check with whatismyip.com on same network as router)
Gateway Type Juniper VPN Series
Authentication type: PSK
Group Username: remote.com
Group Password: YourPassword (From ‘Pre-Shared Key:’ in Ike settings above)
Private IP 192.168.44.45 (pick ip from your local network)
Private IP Mask 255.255.255.0 (subnet mask of above ip)
Subnet 192.168.44.0 (same as ‘Start Address:’ in Ipsec settings above)
Subnet Mask 255.255.255.0 (subnet mask of ‘subnet’ IP address)
Checked Dynamically Determine DNS
Checked Perfect Forward Secrecy
Checked Manual Algorithm Selection (also tried Unchecked on Auto)
IKE DH Group: 2
IKE Cipher: 3DES
IKE Hash: SHA1
IKE PRF: HMAC
IPsec DH Group: 2
IPsec Cipher: 3DES
IPsec Hash: SHA1
IKE Lifetime (seconds): 28800
IPsec Lifetime (seconds): 3600
NAT Keepalive (seconds): 300
DPD Frequency (seconds):999
unchecked Use HTTP Proxy
There you have it enjoy Play around with the settings and let me know if you find anything that works better.
Thanks,
Phil
05-19-2011 12:44 PM
If you are able to get connected from two differnent locations with the setting shown. There is no problem with the setting on either device. It could be a matter of the setting of the internet provider that you are connecting from. When dealing with free wifi a lot of the time there are more security setting in place that will cause the vpn tunnel not to connect. If ports are being block at this location that would cause you not to be able to connect. The setting you have are good if you can connect using the same setting from two different location. I would not make any setting change to the rv220w or the blackberry playbook. In the past when using free wifi some places I can connected from and other I can not. It depends on the provider they are using and how lock down is the device that you are connecting too also.
Please let me know if i am looking at this wrong and this is not your case. I hope this is helpful
Thanks
Quendale
05-19-2011 02:10 PM
No your right... It works now
and there can be more then a few things going on with the free WiFi
The oddest thing is that I got it working after a lot of trial and error and that none of the cisco clients worked just the Juniper VPN Series
client.
FYI the VPN clients it has are
Check Point Software Tech
Cisco VPN Gateway Type 3000
Cisco Secure PIX Firewall VPN
Cisco IOS Easy VPN Server
Cisco ASA
Juniper VPN Server
Microsoft IKEv2 VPN Server
Generic IKEv2 VPN Server
Thats why I posted all the settings after I got it working.
01-14-2012 02:56 PM
Hi,
I realize it has been a while since you posted this but I am running into a situation which you may be able to help with.
I have the same setup and have used your settings to connect my Playbook successfully to my VPN configured on a Cisco RV220W but am having problems browsing the internet and intranet while connected. The DNS is dynamically determined but I have tried setting the Primary DNS to the IP address of the RV220W as it also acts as the internet gateway for the work network. However, no luck in either case.
If there is anything you can shed some light on that would be great. If you have any suggestions on another good compatible router with VPN capability that would be great as well. I have a client that needs to upgrade their router and I am not sure the RV220W is the way I want to go for them.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide