The built in BlackBerry VPN client uses AES-128, SHA1, IKE DH Group 5 (for low CPU powered devices) and PFS. See pages 271-274 in http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf . What is not defined in this is are the IKE and IPSec SA Lifetimes, and the PFS group used. Currently Astaro's IPSec remote access GUI does not support IKE DH Group 5. However, Astaro (I think) uses StrongSwan for the underlying VPN functionality on ASG - which already supports IKE DH Group 5.

So this feature request is to
1. Enable the support of IKE DH Group 5 in the Astaro GUI for IPSec remote access.
2. Find the correct settings for IKE and IPSEC SA lifetimes - and add these to the GUI if needed.
3. Find the correct setting for the PFS group - and add these to the GUI if needed.
4. Finally, to create a Blackberry VPN tab to go alongside the iPhone VPN tab.

This feature would save customers having to buy a Cisco (or other competitive VPN box) to get their Blackberry handhelds VPN-connected. It would save customers having to pay large money for a Blackberry Enterprise Server. It would give both BlackBerry and iPhone VPN support. It would be a very nice selling point. Add in Android support - and we have a very compelling VPN story that plays into the explosion of handheld devices.

This feature is very consistent with Astaro's product development strategy - to be the UTM of choice because it provides businesses with a large breadth of sensible features that save them from purchasing more fully featured and expensive solutions - like the wireless is.

The reasons I can think of to do this
a) Blackberry is targeted at the business marketplace, and Astaro can only benefit from this.
b) Handhelds continue to grow in use and importance, and Astaro can only benefit from this.
c) Handheld security is almost a contradiction in terms, and Astaro is a security solution - and customers can only benefit from this.
d) I have customers who use Blackberries and one who needs this.

But perhaps the most important reason, it is a doddle to sell on the back of this feature, if we can make it work.

And there in lies the rub, as they say.

All the best, Adrien.

If one side of a VPN is another product, it might not accept an 'ANY Remote VPN ID' option, while the UTM doesn't have a fixed IP.
Thus, the other VPN gateway doesn't know the UTM IP, so it cannot use the IP as peer VPN ID. UTM cannot change its local VPN ID when we set up the Authentication type as Pre-Shared Key. The default local VPN ID is the external IP address and cannot be changed.

Please support changing the local VPN ID when the Authentication type is Pre-Shared Key, then we can use hostname or email address as VPN ID.

There should be more options under "Remote Access > SSL > Advanced > Authentication algorithm" than "MD5" and "SHA1" as the OpenVPN backend also supports SHA2 algorithms like SHA-224, SHA-256, SHA-384, SHA-512...and they appear to be there, just not available in WebAdmin?

loginuser@vpn:/home/login > /var/chroot-openvpn/sbin/openvpn --show-digests
You can specify a message digest as parameter to
the --auth option.
MD2 128 bit digest size
MD5 128 bit digest size
RSA-MD2 128 bit digest size
RSA-MD5 128 bit digest size
SHA 160 bit digest size
RSA-SHA 160 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA 160 bit digest size
DSA-SHA1-old 160 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size
ecdsa-with-SHA1 160 bit digest size
RSA-SHA256 256 bit digest size
RSA-SHA384 384 bit digest size
RSA-SHA512 512 bit digest size
RSA-SHA224 224 bit digest size
SHA256 256 bit digest size
SHA384 384 bit digest size
SHA512 512 bit digest size
SHA224 224 bit digest size