04-19-2013 12:11 PM - edited 04-19-2013 02:31 PM
I have the server set up to allegedly permit this, and I get authenticated, I get the parameters, I get the tunnel set up, and then then authentication reply that goes back to the phone is ignored.
The same thing happens on either a Wifi or cell connection (so the cell carrier is NOT "eating" the response) and I see no way to get the Z-10 to show me a logfile so I can tell what it's upset about.
Obviously it doesn't like something in the authentication response.
Does anyone have this working?
And is there a way to get the logs from the Z-10 so I know what it's unhappy about? I don't see an option to turn it on nor anything in the file browser that resembles a logfile either.
04-19-2013 02:40 PM
Got it to come up!
Will be writing a cookbook on this once I get the rest ironed out (I have routing problems now but those are on the server end and should be fairly easy to fix.)
04-21-2013 01:50 PM
Well there's good news and bad news.
The good news is that I have a stable VPN link using StrongSwan against FreeBSD, using PSK (!) and dynamically allocating the tunnel. In other words, I can (at least theoretically) authenticate against the Unix gateway machine's password file, which is a HUGE deal as it makes roaming access realistic. I am, right now, using a fixed PSK for this as I haven't (yet) enabled the plug-ins that work against the Unix password file -- doing that will have to wait until I know the rest of the config works.
The bad news, and it is VERY bad news, is that what shows up on the FreeBSD gateway machine is the PUBLIC IP address of the Z-10's connection to the cellular network. That is, if you're on "22.214.171.124" with your cell provider that is what shows up on the gateway machine as the source of the packets, and not the tunnel address that was assigned. What's worse is that I can't get that packet flow to go through NAT no matter what I do -- at least thus far. If I could get it to go through NAT I could solve 70% of the problem but so far no dice.
This really sucks becasue it means that while the Z-10 can access everything on the gateway it cannot necessarily see anything on the local network beyond the gateway itself (it may be able to in some instances, IF the other machine doesn't mind the screwball address AND points default back at the gateway) and (2) it cannot use the VPN to get back out to the Internet at large.
What I want/need is to have the packets emitted into the local network "appear" to come from the internal network of the gateway machine. Thus far the magic incantation to do that has eluded me.
Needless to say this makes it worthless in its present incantation for any sort of "real" use.
I am continuing work on this effort but the FreeBSD mailing lists along with the StrongSwan ones appear to find this a "novel" problem and nobody has a good suggestion. This wouldn't bite two LANs connecting over IPSEC/IKEv2 because both would have unique and known IP addresses for their "source" and a simple static route pointer will work for that, never mind that they each would typically have a public Internet access method that is "private" for their use (but not shared.) This is what StrongSwan's examples consider a "Road Warrior" connection -- uh, no. A road warrior has no clue what their IP number will be but must present a COHERENT address to the gateway machine -- an address that MAY also have OTHER things on it that cannot be disrupted! In other words it has to be private and the gateway has to NAT the address or you either break full connectivity to the remote device, its gateway, or both.
It does not work as it stands for a connecting mobile device because (1) there is no gateway in that instance, (2) the address being presented is public, and (3) if that address winds up out in the wild as a source address the target of the packet is going to reply back to the public address directly instead of coming back into the gateway and ultimately back down the encrypted tunnel, and thus won't work at all.
This is distinct from PPTP/LT2P which translates the packets as an "endpoint" and appears on the other end as if it is a local machine, obviating this problem. But the Z-10 doesn't support PPTP/LT2P.
This may be configuration problem on my end, but I'm beginning to think not -- and if so that sucks as it may be a StrongSwan limitation.
04-22-2013 12:18 AM
Son of a *****, I got it.
Ok folks, cookbook is coming as soon as I can condense all this. I got it figured out; road-warrior IPSEC/IKEv2 GENERIC, no special **bleep**, is now working.
I can access EVERYTHING on my local network along with anything on the Internet through the VPN connection without having to use BES and without anything beyond an ordinary Unix machine as a gateway.
It's FAST too.
04-22-2013 10:35 AM
So, what's cooking?
PIN: C0001B7B4 Display/Scan Bar Code
PIN: C0005A9AA Display/Scan Bar Code
04-22-2013 10:51 AM
It works against StrongSwan on the IKEv2 Generic profile, in short.
Set the profile up thus in ipsec.conf:
The "rightsourceip" is a pool of your choice not otherwise in use. Your gateway must also implement NAT to translate that outbound to the Internet as a whole and has to honor it for local services (you need to set the DNS server in strongswan.conf, for example, and make sure your server will honor and resolve requests from the tunnel.) The rightid should be your email address which is the PSK key. For the gateway authenticator use the IPv4 address -- NOT the email address -- and make sure you have a matching entry in the "ipsec.secrets" file (%any can be used for a wildcard match) for the gateway authentication.
leftsubnet tells the remote client to set the default route to point to the tunnel, so ALL packets come to the VPN server. The address assigned from the "%any" key on "right" will be from the pool in "rightsourceip", managed by StrongSwan internally.
Then create the file ipsec.secrets with the appropriate PSK and key to match the client's email address.
This will authenticate and work, setting the default route on the phone to point to the other end of the tunnel. Any number of connections from any number of phones will work at once, provided each can authenticate (e.g. each has a valid password and email tuple in the ipsec.secrets file) and you don't run out of the IP pool you declared. You can use certificates if you wish (they're even more secure) but they're not required and for many people they're considered a serious pain in the neck (especially setting up the local CA, which is required if you're going to use certificate-based authentication and don't want to buy a certificate from a public CA.)
This is FAST too -- VERY fast. Browsing is faster over VPN than it is over a bare cell connection as this bypasses all the carrier BS games with deep-packet inspection and their "transparent" proxies.
05-19-2013 12:33 PM
Did you find any way to make it work without sending all traffic over the VPN?
When I'm at home and using my home wifi, I'd like to be able to use Blackberry Link and the DLNA server with my PS3.
05-19-2013 01:28 PM
Not on autoconnect, but that's ok provided you configure the local network correctly.
I have it working; a "cookbook" post is here: http://market-ticker.org/akcs-www?post=220395
05-19-2013 03:14 PM - edited 05-19-2013 03:22 PM
Err that's not exactly what I meant; you've got leftsubnet=0/0 which is what I'm trying to avoid.
My Z10 "gets" the subnets I list, but the IP traffic just doesn't go down for some reason. I've created another post that may cover this better.
Btw: I found your cookbook using google and found it useful in building my configuration. Thanks for that.
05-19-2013 10:52 PM
I'll take a look at the other thread; can you post your StrongSwan config and the VPN status page from the Z-10 when it's up in there?