1. Phil_M_Casey's Avatar
    I'm working on setting up my Blackberry Playbook to access the network over our IPsec VPN however so far I have had no luck.

    I'm also posting this on the Blackberry playbook support forum.
    As well as the Cisco Small Busness Support Forum

    Thanks for any help you may give me.





    Settings on BlackBerry Playbook



    Server Address: My IP Address

    Authentication type: XAuth-PSK

    Group Username: remote.com

    Group Password: (Password)

    Username: PCaseyIPsec

    Password: (MyPassword)



    Checked Automatically Determine IP

    Checked Dynamically Determine DNS

    Checked Perfect Forward Secrecy

    Checked Manual Algorithm Selection (also tried Unchecked on Auto)



    IKE DH Group: 2

    IKE Cipher: 3DES

    IKE Hash: SHA1



    IKE PRF: HMAC

    IPsec DH Group: 2

    IPsec Cipher: 3DES

    IPsec Hash: SHA1



    IKE Lifetime (seconds): 28800

    IPsec Lifetime (seconds): 3600

    NAT Keepalive (seconds): 300

    DPD Frequency (seconds):240



    Checked Disable Banner (also tried unchecked)

    unchecked Use HTTP Proxy





    Settings On RV220W



    IKE Policies Table







    Name

    Mode

    Local IP

    Remote IP

    Encryption

    Authentication

    DH






    Sundown6

    Aggressive

    local.com

    remote.com

    3DES

    SHA-1

    Group 2 (1024 bit)




    VPN Policies Table







    Status

    Name

    Type

    Local

    Remote

    Authentication

    Encryption






    Enabled

    Sundown6*

    Auto Policy

    192.168.0.0 / 255.255.255.0

    Any

    SHA-1

    3DES






    Logs



    2011-05-07 01:39:14: [rv220w][IKE] INFO: Remote configuration for identifier "remote.com" found
    2011-05-07 01:39:14: [rv220w][IKE] INFO: Received request for new phase 1 negotiation: 76.21.2.248[500]<=>192.168.0.158[500]
    2011-05-07 01:39:14: [rv220w][IKE] INFO: Beginning Aggressive mode.
    2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

    2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
    2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: DPD
    2011-05-07 01:39:14: [rv220w][IKE] INFO: For 192.168.0.158[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 76.21.2.248[500]
    2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 192.168.0.158[500]
    2011-05-07 01:39:15: [rv220w][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.158[500] because it is only accepted after phase1.
    2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT not detected
    2011-05-07 01:39:15: [rv220w][IKE] INFO: Sending Xauth request to 192.168.0.158[500]
    2011-05-07 01:39:15: [rv220w][IKE] INFO: ISAKMP-SA established for 76.21.2.248[500]-192.168.0.158[500] with spi:5127c3cf75f1f5d9:f65ff6a9995200c1
    2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 192.168.0.158[500]
    2011-05-07 01:39:15: [rv220w][IKE] INFO: Login succeeded for user "PCaseyIPsec"
    2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 192.168.0.158[500]
    2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
    2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
    2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
    05-07-11 05:11 AM
  2. Phil_M_Casey's Avatar
    Bump to hopefully get some help from someone
    05-09-11 10:27 AM
  3. Boots4283's Avatar
    Cisco router model?
    05-09-11 10:45 AM
  4. Phil_M_Casey's Avatar
    The RV220W Small busness router.
    05-09-11 10:58 AM
  5. Poncherelly's Avatar
    I'm having the same issue. I can't connect via IPSec but have no issues connecting to another clients' Cisco VPN. If anyone could help or make suggestions, it would be great.
    05-19-11 12:54 PM
  6. Phil_M_Casey's Avatar
    Ok I think I need to update everyone and type up my settings Ive tested this at my Wifes school and a local coffee house and it worked. However I have not been able to get it working at my buildings free WIFI.
    So this may not help everyone.

    First the RV220W settings

    Add / Edit IKE Policy Configuration
    Policy Name: AnythingYouLike
    Direction / Type: Responder
    Exchange Mode: Aggressive
    Local
    Identifier Type: FQDN
    Identifier: local.com
    Remote
    Identifier Type: FQDN
    Identifier: remote.com
    IKE SA Parameters
    Encryption Algorithm: 3DES
    Authentication Algorithm: SHA-1
    Authentication Method: Pre-Shared Key
    Pre-Shared Key: YourPassword
    Diffie-Hellman (DH) Group: Group2(1024 bit)
    SA-Lifetime: 28800 Seconds
    Dead Peer Detection: Enable NotChecked
    Detection Period: (Range: 10 - 999) NA
    Reconnect after Failure Count: (Range: 3 - 99) NA
    Extended Authentication
    XAUTH Type: None
    Authentication Type: NA
    Username: NA
    Password: NA

    Add / Edit VPN Policy Configuration
    Policy Name: AnythingYouLike
    Policy Type: Auto Policy
    Remote Endpoint: FQDN
    Remote.com
    NETBIOS: Enable Not Checked
    Local Traffic Selection
    Local IP: Subnet
    Start Address: 192.168.44.0 (local ip range with 0 at end)
    End Address: NA
    Subnet Mask: 255.255.255.0
    Remote Traffic Selection
    Remote IP: Any
    Start Address: NA
    End Address: NA
    Subnet Mask: NA
    Split DNS
    Split DNS: Enable NA
    Domain Name Server 1: NA
    Domain Name Server 2: (Optional) NA
    Domain Name 1: NA
    Domain Name 2: (Optional) NA
    Manual Policy Parameters
    SPI-Incoming: NA
    SPI-Outgoing: NA
    Encryption Algorithm: NA
    Key-In: NA
    Key-Out: NA
    Integrity Algorithm: NA
    Key-In: NA
    Key-Out: NA
    Auto Policy Parameters
    SA-Lifetime: 3600
    Seconds
    Encryption Algorithm: 3DES
    Integrity Algorithm: SHA-1
    PFS Key Group: Enable Checked
    DH-Group 2(1024 bit)
    Select IKE Policy: Select IKE Name From Above



    Blackberry Playbook Settings

    ProfileName AnyNameYouLike
    Server Address: IPAddress (can check with whatismyip.com on same network as router)
    Gateway Type Juniper VPN Series
    Authentication type: PSK
    Group Username: remote.com
    Group Password: YourPassword (From Pre-Shared Key: in Ike settings above)
    Private IP 192.168.44.45 (pick ip from your local network)
    Private IP Mask 255.255.255.0 (subnet mask of above ip)
    Subnet 192.168.44.0 (same as Start Address: in Ipsec settings above)
    Subnet Mask 255.255.255.0 (subnet mask of subnet IP address)
    Checked Dynamically Determine DNS
    Checked Perfect Forward Secrecy
    Checked Manual Algorithm Selection (also tried Unchecked on Auto)
    IKE DH Group: 2
    IKE Cipher: 3DES
    IKE Hash: SHA1
    IKE PRF: HMAC
    IPsec DH Group: 2
    IPsec Cipher: 3DES
    IPsec Hash: SHA1
    IKE Lifetime (seconds): 28800
    IPsec Lifetime (seconds): 3600
    NAT Keepalive (seconds): 300
    DPD Frequency (seconds):999

    unchecked Use HTTP Proxy


    There you have it enjoy Play around with the settings and let me know if you find anything that works better.

    Thanks,
    Phil
    05-19-11 02:07 PM
  7. iboles's Avatar
    Can it support PPTP or SSTP VPNs?
    06-13-11 12:53 PM
  8. binaryrogue's Avatar
    I had no luck as well getting the IPSec to work with my SonicWALL firewall or an Microsoft VPN server.. With the SonicWALL it never passes phase 2 of ike. With Microsoft, it can't even get to phase 1.

    Is anyone able to get VPN to work with any of these two devices?
    06-13-11 01:16 PM
  9. stacehamilton's Avatar
    I would love to get it working with Sonicwall but have never had any luck and have no idea which pre-defined profile i would even choose on the PB. Called Sonicwall and they were no help. Being able to VPN into our office firewall opens up a world of possibilities.
    06-13-11 01:43 PM
  10. dmonty's Avatar
    As of tonight we were able to get IPSec working via the Playbook. What sucks is that it doesn't seem to support split tunneling. :-(

    I use the same settings on the Cisco VPN client and split tunneling works there.

    David
    06-26-11 01:43 AM
  11. steve911's Avatar
    I hope they add more support for connecting to various VPN's with QNX 2.0. I too would like to get my PlayBook to work with our Watchguard Firebox router.
    McIrish likes this.
    09-20-11 10:14 PM
  12. lnichols's Avatar
    Yeah the VPN in the Playbook isn't great. Hoping 2.0 fixes this. If they add BES-X support then I may stand up to try. I've been unsuccessful trying to connect to a Contivity VPN, and and Avaya Secure Router. I haven't pushed it too hard though.
    09-21-11 10:19 AM
  13. McIrish's Avatar
    I too have a Watchguard firewall and can't get VPN going. That's a major downfall. Heck, at this point, I'll stick any "known working" router on an external port to try and get VPN working. Any suggestions?
    10-04-11 03:23 PM
  14. areid_van's Avatar
    I got a VPN working between my Playbook and a Cisco ASA 5505 without much trouble. Pretty much just setup a default IPSec split tunnel configuration according to the Cisco docs. The Playbook does pick up the DHCP and DNS config from the tunnel nicely, but doesn't seem to pick up the split tunnel routing, like noted in a previous post. It routes all traffic through the tunnel which prevents accessing the public internet while connected to VPN. Not a huge problem since I can just disconnect the VPN when I need to, but it would be better if you could keep it connected and access the internet at the same time. Anyone figured out how to do a split tunnel, or is this just a limitation of the current software?
    11-21-11 11:36 PM
  15. meierjn's Avatar
    Hmmm, I haven't tried to get my PB working through our VPNs yet. Its good to know it will work with the Cisco ASA FWs. We have a VPN on a 5520 and 5510 setup for various levels of access. Is split tunnelling enabled for your VPN? We have it dissabled on both of ours. When connected to the VPN we want to force the device to use the corporate internet if required so that all traffic is routed out through our other security devices. For some users we don't allow Internet access while connected.
    11-23-11 07:54 AM
  16. screamlordbyron's Avatar
    I too was finally able to get IPSec working with my Cisco Router. I'm likewise unable to get split tunneling working, so if anyone figures out how, that would be killer.

    My question is: how the heck to you browse network shares once the VNP is connected?
    11-23-11 12:40 PM
  17. screamlordbyron's Avatar
    Has anyone figured out how / whether split tunneling is possible in OS2?
    03-15-12 12:14 AM
  18. FreeJACLive's Avatar
    Thanks for posting the settings i will have to try them. I've been struggling getting it to just connect.
    03-15-12 12:53 AM
  19. rdleeuw's Avatar
    For me this is the coolest feature i've ever seen. happy happy happy

    Works like a charm to connect to a Cisco IOS router configured for the old-fashioned Cisco VPN Client and also to an ASA with RSA token authentication
    03-22-12 11:40 AM
  20. jewung's Avatar
    I have been trying to setup IPSEC VPN on Q10 to my Cisco RV180 VPN router and this particular lead is very useful and I would like to thank Phil_M_Casey for this. I would like to share further information regarding VPN configuration in OS10 for the RV180 (and perhaps other RV-series e.g. RV220W).

    On the RV180 :
    1. Based on my observation, RV180 does not push routing info to the client. So one has to configure a specific subnet to allow access by the VPN clients. So under the Local Traffic Selection in the VPN Policy setting :
    Local IP : Subnet
    Start Address : <this would be your subnet ID of the network to allow access> (for example : 192.168.44.0)
    Subnet Mask : <this would be the subnet mask of the network to allow access> (for example : 255.255.255.0)

    2. For the Remote Traffic Selection : if the BB device has dynamic IP address, set Remote Traffic Selection to "Any".

    3. The Authentication, Encryption, DH settings don't matter as long as :
    - the settings are supported by BB VPN client; and
    - the settings in RV180 matches with the settings in VPN profile in BB.

    4. Dead Peer Detection (DPD) should be enabled as there is no option to disable DPD in BB VPN settings. The DPD settings must match in both the RV180 and BB device.

    On the BB VPN Profile setup :
    1. Use "Juniper IPSec VPN (Netscreen Series)" as the Gateway Type.
    2. XAUTH-PSK authentication type does not work (it will timeout and RV180 will log "Local config for x.x.x.x[500] does not have mode config". So use PSK instead.
    3. Fill in the Authentication ID with the value specified in the "Remote Identifier" field in the RV180 IKE Policy config.
    4. Pre-shared Key --- this is the Pre-Shared Key value in the RV180 IKE Policy setting.
    5. "Automatically determine IP" --> OFF. Somehow, the RV180 does not push private IP and routing info to client, so one has to define it manually.
    6. For the Private IP and Mask, fill in an IP address and Mask for the VPN client (preferably on different subnet as the server's subnet). For example, Private IP = 10.8.8.4 and Private IP Mask = 255.255.255.0
    7. For the Subnet field, use the value of the "Start Address" in the Local Traffic Selection config in RV180.
    8. For the Subnet Mask field, use the value of "Subnet Mask" in the Local Traffic Selection config in RV180.
    9. "Automatically determine DNS" --> OFF (if no hostname lookup requirement).
    10. "Automatically determine algorithm" --> OFF. Make sure all the IKE, IPSec, NAT, DPD settings matches those in the RV180.
    11. "Use Proxy" --> OFF.

    Also note that BB VPN will tunnel ALL traffic (including internet traffic). Furthermore, RV180 also does not seem to support split tunneling. Hence, once VPN connection is established, one can only connect to the subnet specified in the profile. All internet connections will not work. I read in some other posts that having a proxy server behind the VPN router would enable internet traffic work but I have not tried it.

    Lastly, if your RV180 sits behind another gateway router, make sure to enable port forwarding in the gateway router for ports 500(udp) and 4500(udp) to the RV180.

    I hope the above information is useful to whoever trying to establish VPN connectivity to Cisco RV180 routers on BB OS10 devices.
    02-02-14 10:14 AM
  21. Dr Rose's Avatar
    Here are some common issues that might be useful to consider:
    Does it have the option for preshared key? if so you should add exactly the same code to match the one that is located on the blackberry.
    Did you select Xauth on the rv220w under phase one of the tunnel to use the username and password you created. They should match the blackberry)
    Sometimes you can have compatibility issues when connecting certain device together. Just make sure that you have all the fields to matchup because when connecting IPSEC it is very important that you have the same things on both sides of the IPSEC connection. This is not all the time a problem.
    02-04-14 03:41 AM
LINK TO POST COPIED TO CLIPBOARD