This fricking sucks man.
This is really complicated. Ive managed to do it but the process is ****ty.
Getting Started:
First of all you need to install the programs that are needed to create and sign sis files.
makesis and signsis can be found in the S60 Platform SDKs for Symbian OS, for C++ the SDK needs Perl to be installed.
After you have installed Perl and the SDK you may add your tools folder path (e.g."C:\Program Files\Common Files\Symbian\tools") to your environment variables to create ans sign the sis files in a more convenient way.
This can be done by right-clicking on "My Computer" and choosing "Properties" select the tab "Advanced" and go for "Environment Variables". Under "System Variables you can select "Path" press "Edit" and add the tools-path and seperate is with a semicolon from the other already insertet paths.
Now all we need is a free account at Symbian Signed to be able to sign the sis-files. After you have registered click on "My Symbian Signed" and on "Developer Certificates" where you can download 'DevCertRequest'. Download and install 'DevCertRequest' and run it afterwards.
Step1: Choose a path and a filename for the .csr-file. (e.g. C:\tutorial\tutorial.csr)
Step2: Presuming, that you have no 'ACS Publisher ID', click on "No" left to 'ACS Pub ID available:', choose a path and filename for the keyfile (e.g. C:\tutorial\tutorial.key) and enter a password twice (e.g. tutorial). Please don't forget the password, we'll need that later on.
Step3: Fill in the required fields.
Step4: Enter your IMEI (International Mobile Equipment Identity) and simply select all 'Application Capabilities'.
Step5: Press "Finish".
Now you can request a 'Developer Certificate' on the 'New Developer Certificate request' page (symbiansigned.com->symbiansigned.com->My Symbian Signed->Developer Certificates->Request). Choose your .csr-file and click on send. If everything went well you are now able to download your certificate. Rename the file to .cer (e.g. tutorial.cer).
Retrieving Data:
Last but not least, we need a .pol, a .pin and a .pkg file (e.g. VPN-policy-preshared-cisco.pol, VPN-policy-preshared-cisco.pin and VPN-policy-preshared-cisco.pkg). Thanks to zeus24 you can download a .pdf that contains example-files. I'll explain how to edit them later on. Please note these files won't work unedited.
A .pcf-File is a solid base but unfortunately doesn't provide all the information needed to create a working policy. But let's see what we can get.
I'll describe this as follows "PcfFileValueName=Value | somethingInThePolFile Value somethingElseInThePolFile | Comments and notes"
Host=HostVal | remote 0.0.0.0 0.0.0.0 = { ipsec_1(Hostval) }
Host=HostVal | ADDR: Hostval 255.255.255.255 | Note that the subnetmask may differ, that depens on the Network you're trying to connect.
GroupName=GroupVal | FQDN: GroupVal:
GroupPwd=PWdplain | KEY: Pwdlength Pwdplain | Pwdlength is the length of the Plaintextpassword.
enc_GroupPwd=Pwdenc | Key: Pwdlength Pwdplain | the password must not be encoded. there is software on the net to decode encoded passwords (e.g.
http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode). thanks pipipde for this great link.
If you don't know what's the correct encryption and hash algorithms are I would suggest to try all possible combinations.
Possible encryption algorithms are:
;DES
encrypt_alg 2
ENC_ALG: DES-CBC
;3DES
encrypt_alg 3
ENC_ALG: 3DES-CBC
;AES
encrypt_alg 12
ENC_ALG: AES256-CBC
Possible encryption algorithms are:
;MD5
auth_alg 2
HASH_ALG: MD5
;SHA
auth_alg 3
HASH_ALG: SHA1
After deleting the "pfs" line the .pol-File worked for me, I hope it does that for you too.
Altering the policyname in the .pin-file may be useful to test all possible encryption and hash combinations, but you don't have to.
A .pkg-File needs a Language to work, insert on top of your .pkg-file.
%{"Vendor-EN"}
:"Acme Ltd"
&EN
Replace "SISCONFIG" with "SA" and "C:\System\Data\Security\Install\" with the path where your .pol and .pin-files are actually stored in (e.g. C:\tutorial\).
Check if VPN Policy INstaller UID is the same as on your phone (Settings->App.Manager->Nokia VPN Plolicy Installer->Details(Scroll down)->View Details(Serial Number: )), if they differ replace those in the .pkg with the one in the phone. (e.g. 0x3D08B4F7).
You may delete comments in the .pkg-File, but you don't have to.
Creating And Installing A Signed SIS File:
At this point you're able to create and sign .sis-files run the commandline (Start->Run->"cmd"->Ok) switch to the directory where you have stored your .cer and .key-file (e.g. cd C:\tutorial).
Use "makesis" to create a .sis-file. The parameters are "Package-File" (e.g. makesis VPN-policy-preshared-cisco.pkg).
Use "signsis" to sign the created .sis-file. The parameters are "Unsigned-Sis-File Signed-Sis-File Certificate-File Key-File Password" (e.g. signsis VPN-policy-preshared-cisco.SIS VPN-policy-preshared-cisco-signed.SIS tutorial.cer tutorial.key tutorial).
If everything went well you should now be able to create and sign .sis-files.
Example Files:
This is exept for the group-password an example policy that actually works with my N80 for the VPN at the Eberhard-Karls-University of Tuebingen. Other profiles for Universities in the Belwue (Freiburg, Heidelberg, Hohenheim, Karlsruhe, Konstanz, Mannheim, Stuttgart and Ulm) should look very similar.
VPN-policy-preshared-cisco.pol
SECURITY_FILE_VERSION: 3
[INFO]
VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0.
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 3
max_encrypt_bits 256
auth_alg 2
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(10.32.128.1) }
inbound = { }
outbound = { }
[IKE]
ADDR: 10.32.128.1 255.255.255.255
MODE: Aggressive
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: belwue
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: TRUE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: 3DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: MD5
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 8 password
VPN-policy-preshared-cisco.pin
[POLICYNAME]
VPN Policy
[POLICYDESCRIPTION]
VPN-policy-preshared-cisco.pol for Nokia Mobile VPN Client v3.0.
[POLICYVERSION]
1.1
[ISSUERNAME]
Do not edit
[CONTACTINFO]
Do not edit
VPN-policy-preshared-cisco.pkg
;
; A VPN POLICY PACKAGE
;
%{"Vendor-EN"}
:"Acme Ltd"
&EN
; - None (English only by default)
; INSTALLATION HEADER
; - Only one component name is needed to support English only
; - UID is the UID of the VPN Policy Installer application
#{"VPN Policy"},(0x3D08B4F7),1,0,0,TYPE = SA
; LIST OF FILES
; Policy file
"VPN-policy-preshared-Cisco.pol"-"C:\tutorial\VPN-policy-preshared-Cisco.pol"
; Policy-information file
; - NOTE: The policy-information file MUST be the last file in this
; list!
; - FM (FILEMIME) passes the file to the respective MIME handler
; (in this case, the VPN Policy Installer
; application).
"VPN-policy-preshared-Cisco.pin"-"C:\tutorial\VPN-policy-preshared-Cisco.pin",
FM, "application/x-ipsec-policy-info"
; REQUIRED FILES
; - The VPN Policy Installer application
(0x3D08B4F7), 1, 0, 0, {"VPN Policy Installer"}
Im unsing my
N95 to connect to a Cisco 3000 Concentrator. I've created and signed the policy but I waiting for some answers back from my IT department as to the version of IOS, encrytion, authentication etc.
This is a real hole as far as 3rd party apps are concerned. Whoever comes up with a 3rd party VPN client is going to make some money.
If you need my pol, pin and pkg files let me know.
Linear Mode
