[strongSwan] Strongswan with Blackberry Z10

Christian Klugesherz christian.klugesherz at gmail.com
Mon Jul 4 00:55:52 CEST 2016


(Here again the same message with better formating relative to gmail)

Hello All,

I'm struggling to get Strongswan to work with my Blackberry 10 without success.
Can you please help
I get every time a Delay connection error on my BB10

Here extract of a Whireshark trace (without the timestamps)

80.12.51.34   -  192.168.1.29   ISAKMP 442 IKE_SA_INIT MID=00 Initiator Request
192.168.1.29 -  80.12.51.34     ISAKMP 354 IKE_SA_INIT MID=00 Responder Response
80.12.51.34   -  192.168.1.29   ISAKMP 330 IKE_AUTH MID=01 Initiator Request
192.168.1.29 -  80.12.51.34     ISAKMP 154 IKE_AUTH MID=01 Responder Response
80.12.51.34  -  192.168.1.29    ISAKMP 330 IKE_AUTH MID=01 Initiator Request
80.12.51.34  -  192.168.1.29    ISAKMP 330 IKE_AUTH MID=01 Initiator Request

Thanks

Christian


Mobile BB10-----INTERNET-----NAT gateway
80.12.51.34                          Public: 78.229.20.105
                                                    : ckl.freeboxos.fr
                                           Private:192.168.1.254/24
                                              |
                                              |
                                        VPN (Pi)-----------(Home Network)
                                      (Raspberry Pi)    192.168.1.0/24
                                       192.168.1.29


Mobile BB10
    Blackberry Z10 Client in the Internet, that establishes a tunneled
    connection to the VPN gateway (Pi) in the home network
    by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
NAT Gateway:
    This device, serving as a NAT-router of the home network,
    performs forwarding the VPN requests of my BB10
    to the VPN gateway (Pi). The gateway is accessible by the
    FQDN: "ckl.freeboxos.fr" from the internet.
    Local IP address of the gateway is 192.168.1.254
VPN (Pi):
    Acts as the other endpoint for the VPN connection to my
    Home Network 192.168.1.0/24.
    Uses the StrongSwan VPN library .
Goal:
    My BB10 (from the Internet) to have access to my Home Network

StrongSwan (Version):
---------------------------------
Linux strongSwan U5.2.1/K4.4.13+

Port Forwarded on NAT Gateway
-----------------------------------------------
UDP 500,4500  -- Forwarded -->   192.168.1.29


Configuration BB10:
------------------------------
Profile Name            : home
Server Address          : 78.229.20.105
Gateway Type            : Generic IKEv2 VPN Server
Authentication Type        : EAP-MSCHAPv2
Authentication ID Type    : email
ID Authentication        : alice     (not used can be enything)
MSCHAPv2 EAP Identity    : alice     (not used can be enything)
MSCHAPv2 Username        : alice     (-->username in ipsec.secrets)
MSCHAPv2 Password        : alicepass (-->alice pasword in ipsec.secrets)
Gateway Auth Type        : PSK
Gateway Auth ID Type    : IPv4
Gateway Preshared Key    : pskpass   (-->PSK password in ipsec.secrets)

file /etc/sysctl.conf:
-----------------------------
net.ipv4.ip_forward = 1

file /etc/ipsec.secrets:
--------------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: PSK "pskpass"
alice : EAP "alicepass"

file /etc/ipsec.conf:
------------------------------
config setup
   uniqueids=yes

conn %default
   ikelifetime=60m
   keylife=20m
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev2
   authby=secret

conn rem
   rekey=no
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=@ckl.freeboxos.fr
   right=%any
   rightsourceip=192.168.1.254/24
   rightauth=eap-mschapv2
   rightsendcert=never
   eap_identity=%any
   auto=add

file /etc/strongswan.conf :
-----------------------------------
charon {
  load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509
curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2 eap-identity updown
}

Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN
network to its physical network adapter
---------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu


More information about the Users mailing list