Blackberry Bold VPN to PIX

support · ‎11-10-2008

Anyone have any idea how to set this up? It asks for me group name and password which I have but it also requests another set of credentials which I'm not sure what is at all.

sysopt connection permit-ipsec

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map transam 1 ipsec-isakmp

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup rockvpn address-pool vpnpool1

vpngroup rockvpn dns-server 10.16.10.25

vpngroup rockvpn default-domain mydomain.com

vpngroup rockvpn split-tunnel 102

vpngroup rockvpn idle-time 1800

vpngroup rockvpn password ********

andrew.prince · ‎11-11-2008

It's asking you for phase 1 authentication, then username and password. From your config - you have not configured local or external authentication.

I suggest you do this - a good source of config examples below:-

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

HTH>

support · ‎11-11-2008

Can you be a little more specific? There are about 50 articles in that link.

What I dont understand is that i only use the group authentication when connecting my notebook with cisco vpn client, i think you referred to it as phase 1 authentication. Shouldnt that me enough?

andrew.prince · ‎11-11-2008

Ideally for strong authentication you should use group ID & password and username and password.

If you are only using group id, then you should check the config settings on the VPN client on the Blackberry - the issue is not on the VPN concentrator.

support · ‎11-11-2008

The blackberry doesnt give you the option to turn one or the other off. See the attachment.

andrew.prince · ‎11-11-2008

Disable "extended authentication" and re-test.

support · ‎11-11-2008

Requests credentials and gives error in background. see attachment.

andrew.prince · ‎11-11-2008

Then not only do you have to configure a group ID and password you will also have to configure a username and password for the VPN profile for the Blackberry VPN to work.

HTH>

support · ‎11-11-2008

Can you post a link directly to the article with exactly how to do that?

andrew.prince · ‎11-12-2008

Sorry fopr the late reply, been busy....configure:-

crypto map dyn-map client authentication LOCAL

username <> password <> privilege 1

And use the username and password for the extended auth requirements on the Blackberry.

HTH>

support · ‎11-12-2008

Still not working. Added the commands to the pix and then set those credentials in the blackberry and gives "Error - missing credentials" but the credentials are there.

Should i enable some sort of debug on the pix? Which would it be?

andrew.prince · ‎11-13-2008

Then I would say again, the issue is not with the pix but the software on the blackberry, I suggest you read the blackberry documentation.

support · ‎11-13-2008

I finally managed to get the Blackberry to communicate with the PIX. After enabling some debugs I was able to gather some information but cannot decipher. Please see the attach text for debugs and see if you can help me out. Thanks