Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Z10

Reply
New Contributor
kitella
Posts: 5
Registered: ‎05-23-2013
My Device: Z10

VPN Issues

I just spent a week in the US behind hotel WIFI connections, using my IKEv2 VPN connection to my server in Canada, under the assumption that my VPN traffic was going over the WIFI, but I just found out that even though I was connected over WIFI at the hotel, the VPN connection forces the traffic over the cellular network.  As a result, I think you can imagine what my phone bill is going to be and I am not happy about this one bit.

 

I did some testing, and tcpdumping from my firewall, and I can prove that when my VPN connection is established, it does not create the IKE tunnel over WIFI.  I also discovered that if I turn off my mobile network (BELL), and turn on WIFI, I can hit the internet just fine, but when I try to establish my VPN connection, it does not connect.  What is the purpose of associating a VPN profile to the WIFI connection if it doesn't do anything?  

Contributor
Supa_Fly
Posts: 18
Registered: ‎05-21-2013
My Device: BlackBerry Z10

Re: VPN Issues

Have you tested on another non-hotel public wifi connection to ensure this wasn't isolated to the hotel's network? Most hotels don't have their own wifi network but contract out for them (especially in the USA) and there are some ports that are restricted.

I'm just curious if you've tested on say your home WiFi connection, a Starbucks connection or elsewhere that is not public just to ensure this isn't an isolated event.
New Contributor
kitella
Posts: 5
Registered: ‎05-23-2013
My Device: Z10

Re: VPN Issues

Yes, I tested this on my home network today which is where I was able to TCPDUMP the network traffic on my BSD based firewall.  I can use the same network configuration on my Playbook and it does what it is supposed to do (I have the Playbook that has LTE as well), and I can remove the sim, and it still works.  The same configuration on my Z10 will not make a VPN connection unless I have the sim in, and have carrier network turned on.  

 

This forces me to pay foreign data costs.  IOS and Android do not do that.  I am running the latest version of Blackberry 10.  I have a big enough data plan in Canada that I didn't pay attention to this before, but this is a huge issue.  I used a Generic IKEv2 configuration, and if there is anyone out there that is able to confirm that they can make it work on a Z10 without going over carrier network, I would be interested to hear about it.  I also just noticed that I can look in my network settings, and WIFI shows connected, and I can see the usual WIFI indicator up where the normal LTE indicator is.  When I turn on my VPN connection, that indicator goes back to LTE, the WIFI settings still show that I am connected to wireless, and when I TCPDUMP on my firewall, all traffic stops.

 

This in my opinion is a serious problem, and I hate to say it but I have a feeling that this wasn't an accident or a bug.

Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10

Re: VPN Issues

[ Edited ]

It works fine for me over WiFi and in fact in the Saved WiFi profiles you can default it to a given VPN profile and it will autoconnect.  If I wish I can shut off the mobile network and the IPSEC/IKEv2 connection remains up and active.

 

I use this literally on a daily basis.  If it's not working on your device the problem is likely on the server; I have absolutely no problem at all with IKEv2/IPSEC connections to my server from either WiFi or cell and in fact have the phone set to automatically "nail" all Internet access back through my VPN.

 

This DEFINITELY does work - it did on 10.0 and does on 10.1, which I am running now (1720 w/1721 radio)

 

(Attached screen shot showing mobile data turned off, WiFi on to my local LAN and IPSEC/IKEv2 up and running -- I'm using the Generic IKEv2 profile with a PSK and machine certificate to identify the gateway)

Market Information? Come read The Market Ticker!
New Contributor
kitella
Posts: 5
Registered: ‎05-23-2013
My Device: Z10

Re: VPN Issues

Again, I can run my VPN connection over cellular, and with my WIFI conneciton enabled as well, and I can gateway through my VPN server.  The difference is that the VPN connection will only establish when I have carrier network enabled, and then it forces VPN traffic over my carrier, not over my WIFI.

 

I just confirmed that I can't do this on Bell, and I have a friend that I saw tonight who can't do this on Telus either.  Just so that we are clear, you can pull the sim out and it will work over WIFI? or you can turn off your mobile data (carrier), and run over WIFI and it will work?

 

 

New Contributor
kitella
Posts: 5
Registered: ‎05-23-2013
My Device: Z10

Re: VPN Issues

Sorry, I didn't see all of your message or the picture that you attached.  Where are you located?  Maybe this is related to carrier?

Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10

Re: VPN Issues

[ Edited ]

Look at the screen shot.  Mobile data is shut off entirely. 

 

Works fine.

 

I'm in the US, on T-Mobile.  Doesn't matter though as I run the same config when I'm in my office (like now), when I'm out and about at a public WiFi hotspot (e.g. Starbucks, Books-A-Million, the local mall, etc) and when traveling.  It works on WiFi from all of those locations as well as over cellular and as noted in the screen shot above even with the mobile network turned off it functions properly over WiFi.

 

I also know it's working over IPSEC as I can view the packet counters on the server side and they're increasing while I'm using the phone with the Mobile Network shut off (never mind that I can see the traffic with TCPDUMP)

Market Information? Come read The Market Ticker!
Contributor
Supa_Fly
Posts: 18
Registered: ‎05-21-2013
My Device: BlackBerry Z10

Re: VPN Issues

Hmm. Telus and Bell share the same wireless network across the country, I don't think that is the root cause though.

Is there a difference between behaviour of Microsoft® IKEv2 VPN Server vs Generic IKEv2 VPN Server configurations for VPN? If so, Tickerguy whats your set vs Kitella's?

I cannot find anything specifically related for BB10 and VPN, but I found this related to BB10, VPN and Desktop
http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB33604&sliceId=2&cm...

"The BlackBerry 10 smartphone uses a local area network connection for communication. Some VPN clients will restrict local area network connections from being available once the VPN client has successfully logged in."

^ in that last sentence is this true when it comes to WLAN as well?
New Contributor
kitella
Posts: 5
Registered: ‎05-23-2013
My Device: Z10

Re: VPN Issues

I discovered something interesting.  I was using EAP-MSCHAP-V2 for the client side authentication, but I just changed it to PSK on the client side and it works fine now without carrier network.  I am not sure what is up with that, but that's all that I changed and now it works.

 

Thanks for the feedback everyone.

Trusted Contributor
tickerguy
Posts: 202
Registered: ‎03-17-2013
My Device: Z-10

Re: VPN Issues

Sounds like the server was failing to complete the authentication with it set that way.  What software are you using on the server side?  I use MSCHAP for my Windows 7 machines and by definition those are coming in over WiFi, but PSK for my BB10 devices.

Market Information? Come read The Market Ticker!