Suggested Reading
The following articles may also be of interest
- Connecting to the office securely from a Windows Mobile PDA
- Microsoft to shut down Windows Marketplace and My Phone Service for Windows Mobile 6.x
- Setting a Windows Mobile Pocket PC device to 2G only mode
- Performing a manual roam on Windows Mobile Smartphone
- Performing a manual roam on Windows Mobile Pocket PC
Keywords
Articles
Click on a title link below to expand or collapse a section. Double click a title link to follow it. Access the Blog.
Popular Articles
Today's:
- Welcome
- Use the HTC Desire as a portable WiFi hotspot
- Configuring the Huawei E5832 / E5830 (iMo)
- Sharing media via DLNA from the HTC Desire Z and Desire HD to Windows Media Player
- Using Internet Passthrough mode on the HTC Desire Z and Desire HD
- Huawei E5 (E5830 / E5832 / iMo) firmware update available
All time:
Popular Downloads
Configuring VPN access from Windows Mobile 6 to Windows Server 2003 / 2008
Windows Mobile 6 devices have an L2TP/IPSec-capable VPN client as part of the WM6 operating system that can natively connect to the Routing and Remote Access Service on Windows Server 2003 to provide a secure connection to a corporate LAN.
There are a number of factors to be aware of when configuring VPN connections from mobile devices.
Network Address Translation (NAT)
Mobile devices are typically assigned private, or 'non-routable', IP addresses by the mobile network operator when they connect to the Internet, with the MNO performing NAT at the GGSN: the gateway node between the mobile network and the Internet.
IPSec-based VPN connections are not able to traverse a NAT gateway as the act of changing the packet's source address makes the checksum calculated from the original IP header no longer match the new header. The VPN server therefore assumes that the packet has been tampered with in some way (which of course, it has been) and discards it, causing the client to not be authenticated.
This is only a problem if an Authentication Header is being used to create the IPSec packet. L2TP VPN connections do not suffer from this, but are correspondingly less secure.
One method of getting past this issue of 'NAT Traversal' whilst still employing IPSec, is to create the IPSec packet header using UDP rather than TCP: UDP packet headers not having a source address, only a destination header. This does require that both the VPN client and the VPN server support 'NAT-T'. Both WM6 and Server 2003 support NAT Traversal.
Some mobile network operators do provide specific access points for users wishing to establish VPN connections from their mobile devices. These access points provide client devices with public, or routable, IP addresses meaning that no NAT is being performed, thus enabling IPSec to function properly. The ability to access these VPN access points requires that the service be activated on the SIM.
Addressing scheme
It is also important to know the IP address range that your mobile devices will be assigned by the mobile network operator. Typically MNOs assign addresses in the range 10.x.x.x or 172.16.x.x
If this address range is also the range that is being used by the VPN server to allocate addresses to connected clients, then the client will connect to the VPN, but will then not be able to route data correctly. Therefore the addressing scheme used by the VPN server needs to be different.
Firewalls
In order to connect to the VPN server, the following ports will need to be open on any firewalls between the VPN server and the Internet:
UDP 500 (IKE) UDP 4500 (ISAKMP)
Configuring Windows Server 2003
Add the Routing and Remote Access role within the Server Manager if not installed already, and select the option to install VPN access with NAT.
Launch the Routing and Remote Access MMC snap-in. Right click on the entry for the server and select Properties. Click on the Security tab:
Tick the option to Allow custom IPSec policy for L2TP connection and enter a pre-shared key.
A DHCP server will need to be available in order to assign IP addresses to connecting VPN clients (unless you are using static addresses on your clients). The DHCP service can be installed on the VPN server itself. Within the MMC snap-in configure the address of the DHCP Relay Agent, this can be the localhost address if DHCP is running locally.
Within the NAT section, open the properties of the network interface that is acting as the VPN adapter. Click on the Services and Ports tab:
If your client device is connecting from behind a NAT gateway, then ensure that the option to use IP Security (IKE NAT Traversal) is enabled.
Finally, within the properties of the user account itself within Active Directory, enable VPN access on the Dial In tab.
Configuring the Windows Mobile 6 client
NOTE - the client will need a connection to the Internet in order to be able to access the VPN server, this guide assumes you have configured this correctly already.
Tap on Start and select Settings
Tap on the Connections tab at the bottom of the screen
Tap on the Connections icon
In the My Work Network section, tap on the option to Add a new VPN server connection
Enter a name for the connection and select L2TP/IPSec as the protocol
Enter the external DNS name or IP address of the VPN server
Select the option to use a pre-shared key and enter the same key that you entered on the Server 2003 machine
Tap Finish
If all has gone according to plan, you should now be able to connect to the VPN server:
Printer-friendly version- 26590 reads
- Stumble
PDF version
Twitter Feed
| BlackBerry 7 approved for use by UK government - http://t.co/p3DmORtP | 2 hours 58 min ago |
| Update your Windows Phone device to 7.5 if you haven't done already to continue to access the MarketPlace - http://t.co/SleqQWIR | 1 day 3 hours ago |
| Google Chrome Blog: Keeping tabs on your tabs - http://t.co/NYqLd81Q | 3 days 15 hours ago |
| HTC Desire C announced. Pre-order today - http://t.co/IWFNnc5n | 4 days 3 hours ago |
| LinkedIn for Windows Phone available - http://t.co/W0N0sIA8 | 5 days 10 hours ago |
| The Next Web - Mobile data roaming set to become cheaper in Europe as EU price cap rolls out - http://t.co/Akajz7U4 | 1 week 2 days ago |
| BrightPoint GB - The HTC Algarve Incentive is now closed, log in to see who the winners are! - http://t.co/qtDK4RvI | 1 week 2 days ago |
| Nokia Mail for Exchange available for Symbian Series 40 devices in Nokia Beta Labs - http://t.co/2Km2grnx | 1 week 2 days ago |
| BlackBerry Curve 9320 User Guide uploaded to the File Library - http://t.co/iDKiysiC Direct Link - https://t.co/ErUCIJ42 | 1 week 2 days ago |
| Google Mobile Blog: Shop and travel smarter with Google Maps 6.7 for Android - now with Google Offers (US only) - http://t.co/e4HUN1Oy | 1 week 2 days ago |
- 1 of 6
- ››
