Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Z10

Reply
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

[ Edited ]

I have the server set up to allegedly permit this, and I get authenticated, I get the parameters, I get the tunnel set up, and then then authentication reply that goes back to the phone is ignored.

 

The same thing happens on either a Wifi or cell connection (so the cell carrier is NOT "eating" the response) and I see no way to get the Z-10 to show me a logfile so I can tell what it's upset about.

 

Obviously it doesn't like something in the authentication response.

 

Does anyone have this working?

 

And is there a way to get the logs from the Z-10 so I know what it's unhappy about?  I don't see an option to turn it on nor anything in the file browser that resembles a logfile either.

 

Market Information? Come read The Market Ticker!
Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Got it to come up!

 

Will be writing a cookbook on this once I get the rest ironed out (I have routing problems now but those are on the server end and should be fairly easy to fix.)

Market Information? Come read The Market Ticker!
Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Well there's good news and bad news.

 

The good news is that I have a stable VPN link using StrongSwan against FreeBSD, using PSK (!) and dynamically allocating the tunnel.  In other words, I can (at least theoretically) authenticate against the Unix gateway machine's password file, which is a HUGE deal as it makes roaming access realistic.  I am, right now, using a fixed PSK for this as I haven't (yet) enabled the plug-ins that work against the Unix password file -- doing that will have to wait until I know the rest of the config works.

 

The bad news, and it is VERY bad news, is that what shows up on the FreeBSD gateway machine is the PUBLIC IP address of the Z-10's connection to the cellular network.  That is, if you're on "1.2.3.4" with your cell provider that is what shows up on the gateway machine as the source of the packets, and not the tunnel address that was assigned.  What's worse is that I can't get that packet flow to go through NAT no matter what I do -- at least thus far.  If I could get it to go through NAT I could solve 70% of the problem but so far no dice.

 

This really sucks becasue it means that while the Z-10 can access everything on the gateway it cannot necessarily see anything on the local network beyond the gateway itself (it may be able to in some instances, IF the other machine doesn't mind the screwball address AND points default back at the gateway) and (2) it cannot use the VPN to get back out to the Internet at large.

 

What I want/need is to have the packets emitted into the local network "appear" to come from the internal network of the gateway machine.  Thus far the magic incantation to do that has eluded me.

 

Needless to say this makes it worthless in its present incantation for any sort of "real" use.

 

I am continuing work on this effort but the FreeBSD mailing lists along with the StrongSwan ones appear to find this a "novel" problem and nobody has a good suggestion.  This wouldn't bite two LANs connecting over IPSEC/IKEv2 because both would have unique and known IP addresses for their "source" and a simple static route pointer will work for that, never mind that they each would typically have a public Internet access method that is "private" for their use (but not shared.)  This is what StrongSwan's examples consider a "Road Warrior" connection -- uh, no.  A road warrior has no clue what their IP number will be but must present a COHERENT address to the gateway machine -- an address that MAY also have OTHER things on it that cannot be disrupted!  In other words it has to be private and the gateway has to NAT the address or you either break full connectivity to the remote device, its gateway, or both.

 

It does not work as it stands for a connecting mobile device because (1) there is no gateway in that instance, (2) the address being presented is public, and (3) if that address winds up out in the wild as a source address the target of the packet is going to reply back to the public address directly instead of coming back into the gateway and ultimately back down the encrypted tunnel, and thus won't work at all.

 

This is distinct from PPTP/LT2P which translates the packets as an "endpoint" and appears on the other end as if it is a local machine, obviating this problem.  But the Z-10 doesn't support PPTP/LT2P.

 

This may be configuration problem on my end, but I'm beginning to think not -- and if so that sucks as it may be a StrongSwan limitation.

Market Information? Come read The Market Ticker!
Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Son of a *****, I got it.

 

Ok folks, cookbook is coming as soon as I can condense all this.  I got it figured out; road-warrior IPSEC/IKEv2 GENERIC, no special **bleep**, is now working.

 

I can access EVERYTHING on my local network along with anything on the Internet through the VPN connection without having to use BES and without anything beyond an ordinary Unix machine as a gateway.

 

It's FAST too.

 

Market Information? Come read The Market Ticker!
Please use plain text.
JSanders
Posts: 82,910
Likes: 22,684
Solutions: 5,841
Registered: ‎04-01-2008
My Device: Z30 • Z10 • Torch9850 • Playbook
My Carrier: Verizon

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

So, what's cooking?




1. If any post helps you please click the Like Button below the post(s) that helped you.
2. Please resolve your thread by marking the post "Solution?" which solved it for you!
3. Install free BlackBerry Protect today for backups of contacts and data.
4. Guide to Unlocking your BlackBerry & Unlock Codes


Join our BBM Channels (Beta)
BlackBerry Support Forums Channel
PIN: C0001B7B4   Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA   Display/Scan Bar Code
Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

It works against StrongSwan on the IKEv2 Generic profile, in short.

 

Set the profile up thus in ipsec.conf:


conn %default
keyingtries=1
keyexchange=ikev2
 

conn remote
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=192.168.2.0/24
rightid=your@email.address
leftauth=psk
rightauth=psk
auto=add

 

The "rightsourceip" is a pool of your choice not otherwise in use.  Your gateway must also implement NAT to translate that outbound to the Internet as a whole and has to honor it for local services (you need to set the DNS server in strongswan.conf, for example, and make sure your server will honor and resolve requests from the tunnel.)  The rightid should be your email address which is the PSK key.  For the gateway authenticator use the IPv4 address -- NOT the email address -- and make sure you have a matching entry in the "ipsec.secrets" file (%any can be used for a wildcard match) for the gateway authentication.

 

leftsubnet tells the remote client to set the default route to point to the tunnel, so ALL packets come to the VPN server.  The address assigned from the "%any" key on "right" will be from the pool in "rightsourceip", managed by StrongSwan internally.

 

Then create the file ipsec.secrets with the appropriate PSK and key to match the client's email address.

 

This will authenticate and work, setting the default route on the phone to point to the other end of the tunnel.  Any number of connections from any number of phones will work at once, provided each can authenticate (e.g. each has a valid password and email tuple in the ipsec.secrets file) and you don't run out of the IP pool you declared.  You can use certificates if you wish (they're even more secure) but they're not required and for many people they're considered a serious pain in the neck (especially setting up the local CA, which is required if you're going to use certificate-based authentication and don't want to buy a certificate from a public CA.)

 

This is FAST too -- VERY fast.  Browsing is faster over VPN than it is over a bare cell connection as this bypasses all the carrier BS games with deep-packet inspection and their "transparent" proxies.

 

Market Information? Come read The Market Ticker!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Did you find any way to make it work without sending all traffic over the VPN?

 

When I'm at home and using my home wifi, I'd like to be able to use Blackberry Link and the DLNA server with my PS3.

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Not on autoconnect, but that's ok provided you configure the local network correctly.

 

I have it working; a "cookbook" post is here: http://market-ticker.org/akcs-www?post=220395

Market Information? Come read The Market Ticker!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

[ Edited ]

Err that's not exactly what I meant; you've got leftsubnet=0/0 which is what I'm trying to avoid.

 

My Z10 "gets" the subnets I list, but the IP traffic just doesn't go down for some reason. I've created another post that may cover this better.

 

 

Btw: I found your cookbook using google and found it useful in building my configuration. Thanks for that.

 

 

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

I'll take a look at the other thread; can you post your StrongSwan config and the VPN status page from the Z-10 when it's up in there?

Market Information? Come read The Market Ticker!
Please use plain text.