Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Z10

Reply
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Sure. It's not that exciting:

 

conn x-common
auto=add
authby=psk
left=%defaultroute
leftfirewall=yes
right=%any

 

conn x-ikev2
also=x-common
keyexchange=ikev2
# Z10 VPN client doesn't work with split-tunnel
#leftsubnet=10.2.150.0/24,10.10.0.0/16
leftsubnet=0.0.0.0/0
rightsourceip=10.0.3.0/24
rightauth=eap-radius
rightsendcert=never

Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

The VPN status page shows exactly what you'd expect:

 

Profile Name: x

Network Interface: tiw_sta0

Status: Connected

Server Address: x

Private IPs: 10.0.3.4/0.0.0.0

Subnets: 10.2.150.0/24,10.10.0.0/16

Primary DNS: 8.8.8.8

Secondary DNS:

DNS Sufffix:

IKE Lifetime: 86400

IPSec Lifetime: 10800

Proxy Server:

Proxy Port:

Private Server Address: 10.0.3.4

Private Network Interface: ipsec0

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Have you run a packet trace on the other end (e.g. tcpdump or similar) and verified that the packets intended for the "remote end" are NOT coming through?

 

I'll play with this in the coming week and see what I come up with.

Market Information? Come read The Market Ticker!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Yes: I've done tcpdump on the vpn endpoint and have verified the packets are not coming in.

 

At home I don't have a box on my router I can tcpdump from so I can't see them leaving.

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

I'll try to bang on this the next couple of days and see what I come up with.

Market Information? Come read The Market Ticker!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Cool. Thanks!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

Bump?

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

[ Edited ]

Edit: Did some more work on this.

 

Ok, this is what it looks like.

 

If you route anything down the tunnel anything else that does not match the tunneled routes gets black-holed.  That is, the phone's implementation will not allow you to route 10.0.0.0/8 down the tunnel but everything else down the default, non-tunneled route.

Market Information? Come read The Market Ticker!
Please use plain text.
Contributor
geocar
Posts: 13
Registered: ‎05-19-2013
My Device: Z10
My Carrier: VodafoneUK

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

That doesn't sound very useful. Thanks for taking a look, though.

 

While you have a good testrig, could you check what happens if you try to make the VPN do IPv6-only?

If I could leave the IPv4 on the internet I could probably manage to proxy the IPv6 on my office network just by tunneling 4in6.

Please use plain text.
Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10
My Carrier: T-Mobile

Re: BB Z-10 IKEv2 VPN w/PSK against StrongSwan - Anyone have it working?

[ Edited ]

I do not have an IPv6 setup running here at present; if I get some time to set it up I can do that, but as it stands right now my internal stuff is all still IPv4.

 

I suspect what's going on here is that the routing table for the VPN, when active, supersedes the base routing table instead of being merged with it.  As a consequence if there is no default route offered in the VPN setup you're screwed.  The bad news is that since the VPN table supersedes the underlying one there's no way to reasonably fix it either.

 

I can think of a few reasons why the phone would be programmed this way, with many of them having to do with carrier-required things to work as a phone (e.g. MMS messages which otherwise could not be sent or received when the VPN was active.) 

Market Information? Come read The Market Ticker!
Please use plain text.