Just want to share the experience I had on getting Cisco VPN working via wap.cingular using Bluefire.

Bluefire can be found here: http://www.bluefiresecurity.com

I also tried athanvpn http://www.anthavpn.com . Both have different GUI but identical features.

When I first started, the biggest issue is encrypted group password. Most corporations uses encrypted group password, which neither of these software supports. After 2 days of looking around on Google, I found a group password decoder that works:

http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

You can also verify that this decoder works by copying your original .pcf file and edit the group password section (take out the encrypted one and put in the non encrypted one), and then import the edited .pcf file. Cisco's VPN client on PC should re-encrypt the password and it should be the same string as in your original .pcf file.

The next thing is to connect your VPN using VPN client on PC and look at the statistics section. It should show you the encryption and authentication methods. This is for IPsec part of the VPN. Before connection can be made (pop up screen for user name and password), an IKE session has to complete. IKE session can use totally different encryption and authentication method as IPsec. However, most companies keep them the same.

There is also a term of "Group" or "DHGroup" in VPN. For most companies, use Group 2 or DHGroup 2.

For Bluefire, most of these terms are hidden in a .xml file. You should configure the connection as much as you can, then export the connection. Edit the exported file to the encryption/authenticaiton you want, and import the connection again. MAKE SURE YOU DELETE EXISTING CONNECTIONS BEFORE IMPORT! Sometimes Bluefire just make a second connection with the same name and you end up have no idea which one is which.

Last but not least, neither software supports load balancing! If you connect to a big corporation with multiple VPN servers, there is more likely load balancing. On your PC, turn on logging on IKE and do a connection. If you have load balancing, you should see messages on load balancing and also shows the IP address of the VPN server you are actually connecting to. This is the IP address you should use for your Mobile VPN SW.

I got VPN connection working on two client site, one is a huge networking company and the other one is a high tech startup.

The next issue is how to keep VPN connection alive. Simply keeping your data connection alive on your phone does not keep the VPN alive. I am testing "GPRS Keep Alive 1.01" to ping a machine inside the firewall every 30 sec, to see if VPN can be kept alive for the whole day.

All my connection is made via wap.cingular. I have the $39.99 PDAPersonal plan and isp.cingular is not working. I do get assigned an IP address by the VPN server and I actually got SSH (putty) working.

Yes, doing this would costs a lot of juice in the battery. I am also testing how many hours the batter would last.

OK, it seems that ATT terminates data session after an hour or so. I am going to call ATT tomorrow to see if it is the case and if they can take out this limit. The problem is that my Cisco VPN password is not static, but based on Softoken II (generated by a PC app). I can pregenerate the keys, but if I have to do it 8-9 times a day, that's a lot of trouble.

why so often?

It looks like just pinging a machine behind the firewall does not keep the VPN connection alive. So I downloaded "pocketputty" and opened a shell on my Tilt. I wrote a shell script to ping another machine every 30 sec, and display the time. This is to simulate network activity. I kept the connection alive for 7.5 hrs last night.

Yep, the battery bar goes down real quickly. I am going to see next Monday if it would last from 9am to 5pm.