[strongSwan] Strongswan to work with my Blackberry Z10
Christian Klugesherz
christian.klugesherz at gmail.com
Mon Jul 4 00:31:01 CEST 2016
Hello All,
I'm struggling to get Strongswan to work with my Blackberry 10 without success.
Can you please help
I get every time a Delay connection error on my BB10
Here extract of a Whireshark trace
281 00:10:28.232694 80.12.51.34 192.168.1.29 ISAKMP 442
IKE_SA_INIT MID=00 Initiator Request
282 00:10:28.334397 192.168.1.29 80.12.51.34 ISAKMP 354
IKE_SA_INIT MID=00 Responder Response
285 00:10:29.342239 80.12.51.34 192.168.1.29 ISAKMP 330
IKE_AUTH MID=01 Initiator Request
286 00:10:29.352872 192.168.1.29 80.12.51.34 ISAKMP 154
IKE_AUTH MID=01 Responder Response
344 00:10:39.339776 80.12.51.34 192.168.1.29 ISAKMP 330
IKE_AUTH MID=01 Initiator Request
369 00:10:49.465380 80.12.51.34 192.168.1.29 ISAKMP 330
IKE_AUTH MID=01 Initiator Request
Many many Thanks
Christian
Mobile BB10---------INTERNET------------NAT gateway
80.12.51.34 Public: 78.229.20.105
: ckl.freeboxos.fr
Private:192.168.1.254/24 --------- VPN (Pi)-------------(Home Network)
(Raspberry Pi) 192.168.1.0/24
192.168.1.29
Mobile BB10
Blackberry Z10 Client in the Internet, that establishes a tunneled
connection to the VPN gateway (Pi) in the home network
by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
NAT Gateway:
This device, serving as a NAT-router of the home network, performs
forwarding the VPN requests of my BB10
to the VPN gateway (Pi). The gateway is accessible by the FQDN:
"ckl.freeboxos.fr" from the internet.
Local IP address of the gateway is 192.168.1.254
VPN (Pi):
Acts as the other endpoint for the VPN connection to my Home
Network 192.168.1.0/24.
Uses the StrongSwan VPN library for providing authentication and
encryption methods.
Goal:
My BB10 (from the Internet) to have access to my Home Network
StrongSwan (Version):
--------------------
Linux strongSwan U5.2.1/K4.4.13+
Port Forwarded on NAT Gateway
--------------------------------
UDP 500,4500 -- Forwarded --> 192.168.1.29
Configuration BB10:
-------------------
Profile Name : home
Server Address : 78.229.20.105
Gateway Type : Generic IKEv2 VPN Server
Authentication Type : EAP-MSCHAPv2
Authentication ID Type : email
ID Authentication : alice (not used can be enything)
MSCHAPv2 EAP Identity : alice (not used can be enything)
MSCHAPv2 Username : alice (-->username in ipsec.secrets)
MSCHAPv2 Password : alicepass (-->alice pasword in ipsec.secrets)
Gateway Auth Type : PSK
Gateway Auth ID Type : IPv4
Gateway Preshared Key : pskpass (-->PSK password in ipsec.secrets)
file /etc/sysctl.conf:
----------------------
net.ipv4.ip_forward = 1
file /etc/ipsec.secrets:
-------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: PSK "pskpass"
alice : EAP "alicepass"
file /etc/ipsec.conf:
----------------------
config setup
uniqueids=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=@ckl.freeboxos.fr
right=%any
rightsourceip=192.168.1.254/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
file /etc/strongswan.conf :
---------------------------
charon {
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509
curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2 eap-identity updown
}
Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN
network to its physical network adapter
------------------------------------------------------------------------------------------------------------
sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
More information about the Users
mailing list