05-23-2013 03:46 PM
I just spent a week in the US behind hotel WIFI connections, using my IKEv2 VPN connection to my server in Canada, under the assumption that my VPN traffic was going over the WIFI, but I just found out that even though I was connected over WIFI at the hotel, the VPN connection forces the traffic over the cellular network. As a result, I think you can imagine what my phone bill is going to be and I am not happy about this one bit.
I did some testing, and tcpdumping from my firewall, and I can prove that when my VPN connection is established, it does not create the IKE tunnel over WIFI. I also discovered that if I turn off my mobile network (BELL), and turn on WIFI, I can hit the internet just fine, but when I try to establish my VPN connection, it does not connect. What is the purpose of associating a VPN profile to the WIFI connection if it doesn't do anything?
05-23-2013 06:04 PM
05-23-2013 06:18 PM
Yes, I tested this on my home network today which is where I was able to TCPDUMP the network traffic on my BSD based firewall. I can use the same network configuration on my Playbook and it does what it is supposed to do (I have the Playbook that has LTE as well), and I can remove the sim, and it still works. The same configuration on my Z10 will not make a VPN connection unless I have the sim in, and have carrier network turned on.
This forces me to pay foreign data costs. IOS and Android do not do that. I am running the latest version of Blackberry 10. I have a big enough data plan in Canada that I didn't pay attention to this before, but this is a huge issue. I used a Generic IKEv2 configuration, and if there is anyone out there that is able to confirm that they can make it work on a Z10 without going over carrier network, I would be interested to hear about it. I also just noticed that I can look in my network settings, and WIFI shows connected, and I can see the usual WIFI indicator up where the normal LTE indicator is. When I turn on my VPN connection, that indicator goes back to LTE, the WIFI settings still show that I am connected to wireless, and when I TCPDUMP on my firewall, all traffic stops.
This in my opinion is a serious problem, and I hate to say it but I have a feeling that this wasn't an accident or a bug.
05-23-2013 09:58 PM - edited 05-23-2013 10:04 PM
It works fine for me over WiFi and in fact in the Saved WiFi profiles you can default it to a given VPN profile and it will autoconnect. If I wish I can shut off the mobile network and the IPSEC/IKEv2 connection remains up and active.
I use this literally on a daily basis. If it's not working on your device the problem is likely on the server; I have absolutely no problem at all with IKEv2/IPSEC connections to my server from either WiFi or cell and in fact have the phone set to automatically "nail" all Internet access back through my VPN.
This DEFINITELY does work - it did on 10.0 and does on 10.1, which I am running now (1720 w/1721 radio)
(Attached screen shot showing mobile data turned off, WiFi on to my local LAN and IPSEC/IKEv2 up and running -- I'm using the Generic IKEv2 profile with a PSK and machine certificate to identify the gateway)
05-23-2013 10:07 PM
Again, I can run my VPN connection over cellular, and with my WIFI conneciton enabled as well, and I can gateway through my VPN server. The difference is that the VPN connection will only establish when I have carrier network enabled, and then it forces VPN traffic over my carrier, not over my WIFI.
I just confirmed that I can't do this on Bell, and I have a friend that I saw tonight who can't do this on Telus either. Just so that we are clear, you can pull the sim out and it will work over WIFI? or you can turn off your mobile data (carrier), and run over WIFI and it will work?
05-23-2013 10:10 PM - edited 05-23-2013 10:12 PM
Look at the screen shot. Mobile data is shut off entirely.
I'm in the US, on T-Mobile. Doesn't matter though as I run the same config when I'm in my office (like now), when I'm out and about at a public WiFi hotspot (e.g. Starbucks, Books-A-Million, the local mall, etc) and when traveling. It works on WiFi from all of those locations as well as over cellular and as noted in the screen shot above even with the mobile network turned off it functions properly over WiFi.
I also know it's working over IPSEC as I can view the packet counters on the server side and they're increasing while I'm using the phone with the Mobile Network shut off (never mind that I can see the traffic with TCPDUMP)
05-23-2013 11:58 PM
05-24-2013 12:23 AM
I discovered something interesting. I was using EAP-MSCHAP-V2 for the client side authentication, but I just changed it to PSK on the client side and it works fine now without carrier network. I am not sure what is up with that, but that's all that I changed and now it works.
Thanks for the feedback everyone.
05-24-2013 07:25 AM
Sounds like the server was failing to complete the authentication with it set that way. What software are you using on the server side? I use MSCHAP for my Windows 7 machines and by definition those are coming in over WiFi, but PSK for my BB10 devices.