Using a VPN with a Wi-Fi enabled device
If your organization’s environment includes VPNs, such as IPSec VPNs, you can configure a Wi-Fi® enabled BlackBerry® device to authenticate with the VPN so that it can access an enterprise Wi-Fi network. A VPN provides an encrypted tunnel between a device and your organization’s network. VPN is the only layer 3 security method that the device supports.
A VPN solution consists of a VPN client on the device and a VPN concentrator. The device can use the VPN client to authenticate with a VPN concentrator, which acts as the gateway to the enterprise Wi-Fi network. Each device includes a built-in VPN client that supports several VPN concentrators. The VPN client on the device is designed to use strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and VPN concentrator that the device and enterprise Wi-Fi network can use to communicate.
After you configure a VPN, the device can use a layer 2 security method to connect to the enterprise Wi-Fi network, and use the VPN to provide authentication with the enterprise Wi-Fi network. In this scenario, you can configure the enterprise Wi-Fi network as an untrusted network, and specify that only a VPN concentrator can connect to the enterprise Wi-Fi network.
Unlike other supported security methods for enterprise Wi-Fi networks, a VPN does not use the wireless access point during data encryption.
For a list of supported VPN concentrators, visit www.blackberry.com/support to read article KB13354.
Permitting a Wi-Fi enabled device to log in to a VPN concentrator
To permit a Wi-Fi® enabled BlackBerry® device to log in to a VPN concentrator automatically after it connects to an enterprise Wi-Fi network, you or a user can configure a VPN profile that includes a user name and password for authentication with the VPN concentrator. Depending on your organization’s security policy, you or the user can save the user name and password for authentication with the VPN concentrator on the device. When you or the user saves the user name and password, the device does not prompt the user for the user name and password the first time or each time that the device connects to the enterprise Wi-Fi network.
The device is also compatible with VPN environments that use two-factor authentication using hardware tokens or software tokens for credentials. When the device tries to log in to the VPN, the device uses credentials that the token generates or that the user provides.
For more information about configuring VPN profiles, see the BlackBerry Enterprise Server Administration Guide.
Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN
When a Wi-Fi® enabled BlackBerry® device connects to an enterprise Wi-Fi network that uses a VPN, the device might permit the VPN concentrator to send data directly to a BlackBerry® Enterprise Server over your organization's network. The VPN concentrator sends data over port 4101. In this scenario, only the VPN concentrator connects to the enterprise Wi-Fi network.
To configure your organization’s VPN concentrator to prevent it from opening unnecessary connections to your organization’s network, you can configure a segmented network. In a segmented network, you can divide components of your organization’s network using firewalls to reduce the spread of malware.
For more information about reducing the spread of malware, see Protecting the BlackBerry device platform against malware.
Supported UI settings for VPN concentrators
BlackBerry® 7 supports the configuration of the following UI settings for the VPN concentrators that BlackBerry smartphones connect to.
| UI setting |
VPN-1 Power® |
Cisco VPN 3000 Series Concentrator |
Cisco PIX Firewall |
Cisco IOS Easy VPN |
VPN Firewall Brick® |
NetScreen |
Nortel Networks Contivity |
Secure Computing® Sidewinder® |
Symantec Raptor Firewall |
|---|---|---|---|---|---|---|---|---|---|
| Gateway Credential (PSK): Username (Group Name) |
X |
X |
X |
X |
X |
X |
X |
X |
X |
| Gateway Credential (PSK): Password (Group Password) |
X |
X |
X |
X |
X |
X |
X |
X |
X |
XAuth Credential (PSK): Username |
X |
X |
X |
X |
X |
X |
X |
||
XAuth Credential (PSK): Password |
X |
X |
X |
X |
X |
X |
X |
||
XAuth Credential: Enable Extended Authentication |
X |
X |
X |
X |
|||||
Gateway Auth (PKI): Client Certificate |
|
X |
X |
|
|
X |
X |
|
|
Gateway Auth (PKI): CA Certificate |
|
X |
X |
|
|
X |
X |
|
|
DNS Config: Dynamically determine DNS |
|
X |
X |
X |
X |
|
X |
X |
|
External Network: Subnet IP address 1 |
|
|
|
|
|
|
|
|
X |
External Network: Subnet mask 1 |
|
|
|
|
|
|
|
|
X |
XAuth Credential: Extended Authentication |
|
|
|
|
|
|
X |
|
|
IKE: DH Group |
X |
X |
X |
X |
X |
X |
X |
X |
X |
IKE: Cipher |
X |
X |
X |
X |
X |
X |
X |
X |
X |
IKE: Hash |
X |
X |
X |
X |
X |
X |
X |
X |
X |
IPSec: Perfect Forward Secrecy |
X |
X |
X |
X |
X |
X |
X |
|
X |
IPSec: Crypto and Hash Suite |
X |
X |
X |
X |
X |
X |
X |
X |
X |
XAuth Credential: Soft Token |
|
|
X |
X |
|
|
|
|
|
Supported configurations for the Cisco VPN 3000 Series Concentrator
The following table describes the configurations that BlackBerry® 7 supports for the Cisco® VPN 3000 Series Concentrator.
Configuration setting |
Configuration 1 |
Configuration 2 |
Configuration 3 |
Configuration 4 |
|---|---|---|---|---|
Gateway Credential (PSK): Username (Group Name) |
X |
X |
||
Gateway Credential (PSK): Password (Group Password) |
X |
X |
||
XAuth Credential (PSK): Username |
X |
X |
||
XAuth Credential (PSK): Password |
X |
X |
||
XAuth Credential: Enable Extended Authentication |
X |
X |
||
Gateway Auth (PKI): Client Certificate |
X |
X |
||
Gateway Auth (PKI): CA Certificate |
X |
X |
||
DNS Config: Dynamically determine DNS |
X |
X |
X |
X |
IKE: DH Group |
Group 1 |
Group 1, 2 |
Group 5 |
Group 1, 5 |
IKE: Cipher |
3DES, AES128 |
3DES, AES128 |
AES256 |
3DES, AES256 |
IKE: Hash |
HMAC MD5, HMAC SHA1 |
HMAC MD5, HMAC SHA1 |
HMAC SHA1 |
HMAC MD5, HMAC SHA1 |
IPSec: Crypto and Hash Suite |
3DES-MD5, AES128-SHA1 |
3DES-MD5, AES128-SHA1 |
AES256-SHA1 |
3DES-MD5, AES256-SHA1 |
NAT timeout |
Default |
Default |
Default |
Default |
Supported configurations for the Cisco PIX Firewall
The following table describes the configurations that BlackBerry® 7 supports for the Cisco® PIX® Firewall.
Configuration setting |
Configuration 1 |
Configuration 2 |
Configuration 3 |
Configuration 4 |
|---|---|---|---|---|
Gateway Credential (PSK): Username (Group Name) |
X |
X |
||
Gateway Credential (PSK): Password (Group Password) |
X |
X |
||
XAuth Credential (PSK): Username |
X |
X |
||
XAuth Credential (PSK): Password |
X |
X |
||
XAuth Credential: Enable Extended Authentication |
X |
X |
||
Gateway Auth (PKI): Client Certificate |
X |
X |
||
Gateway Auth (PKI): CA Certificate |
X |
X |
||
DNS Config: Dynamically determine DNS |
X |
X |
X |
X |
IKE: DH Group |
Group 1, 2, 5 | Group 1, 2, 5 | Group 5 |
Group 5 |
IKE: Cipher |
DES, 3DES, AES128, AES192, AES256 |
DES, 3DES, AES128, AES192, AES256 |
AES256 |
AES256 |
IKE: Hash |
HMAC MD5, HMAC SHA1 |
HMAC MD5, HMAC SHA1 |
HMAC SHA1 |
HMAC SHA1 |
IPSec: Perfect Forward Secrecy |
||||
IPSec: Crypto and Hash Suite |
DES-SHA1, 3DES-MD5, 3DES-SHA1, AES128-MD5, AES128-SHA1, AES192-MD5, AES192-SHA1, AES256-MD5, AES256-SHA1 |
DES-SHA1, 3DES-MD5, 3DES-SHA1, AES128-MD5, AES128-SHA1, AES192-MD5, AES192-SHA1, AES256-MD5, AES256-SHA1 |
AES256-SHA1 |
AES256-SHA1 |
NAT timeout |
Default |
Default |
Default |
Default |
Supported configurations for the Cisco IOS Easy VPN
The following table describes the configurations that the BlackBerry® 7 supports for the Cisco IOS® Easy VPN.
Configuration setting |
Configuration 1 |
Configuration 2 |
|---|---|---|
Gateway Credential (PSK): Username (Group Name) |
X |
X |
Gateway Credential (PSK): Password (Group Password) |
X |
X |
XAuth Credential (PSK): Username |
X |
|
XAuth Credential (PSK): Password |
X |
|
XAuth Credential: Enable Extended Authentication |
X |
|
DNS Config: Dynamically determine DNS |
X |
X |
IKE: DH Group |
Group 1 |
Group 1, 2, 5 |
IKE: Cipher |
3DES |
DES, 3DES, AES128, AES192, AES256 |
IKE: Hash |
HMAC MD5 |
HMAC MD5, HMAC SHA1 |
IPSec: Crypto and Hash Suite |
3DES-MD5 |
DES-SHA1, 3DES-SHA1, AES128-SHA1, AES192-SHA1, AES256-MD5, AES256-SHA1 |
NAT timeout |
Default |
Default |
Supported configurations for the Secure Computing Sidewinder
The following table describes the configurations that BlackBerry® 7 supports for the Secure Computing® Sidewinder®.
Configuration setting |
Configuration 1 |
|---|---|
Gateway Credential (PSK): Username (Group Name) |
X |
Gateway Credential (PSK): Password (Group Password) |
X |
XAuth Credential (PSK): Username |
X |
XAuth Credential (PSK): Password |
X |
XAuth Credential: Enable Extended Authentication |
X |
DNS Config: Dynamically determine DNS |
X |
External Network: Subnet IP address 1 |
X |
External Network: Subnet mask 1 |
X |
IKE: DH Group |
Group 1 |
IKE: Cipher |
3DES |
IKE: Hash |
HMAC MD5 |
IPSec: Crypto and Hash Suite |
3DES-MD5 |
NAT timeout |
Default |
Supported configurations for Nortel Networks Contivity
The following table describes the configurations that BlackBerry® 7 supports for Nortel Networks® Contivity®.
Configuration setting |
Configuration 1 |
Configuration 2 |
|---|---|---|
Gateway Credential (PSK): Username (Group Name) |
X |
X |
Gateway Credential (PSK): Password (Group Password) |
X |
X |
XAuth Credential (PSK): Username |
X |
|
XAuth Credential (PSK): Password |
X |
|
DNS Config: Dynamically determine DNS |
X |
X |
XAuth Credential: Extended Authentication |
X |
|
IKE: DH Group |
Group 1 |
Group 1 |
IKE: Cipher |
3DES |
3DES |
IKE: Hash |
HMAC MD5 |
HMAC MD5 |
IPSec: Crypto and Hash Suite |
3DES-MD5 |
3DES-MD5 |
NAT timeout |
Default |
Default |