[strongSwan] Strongswan with Blackberry Z10
Christian Klugesherz
christian.klugesherz at gmail.com
Mon Jul 4 00:55:52 CEST 2016
(Here again the same message with better formating relative to gmail)
Hello All,
I'm struggling to get Strongswan to work with my Blackberry 10 without success.
Can you please help
I get every time a Delay connection error on my BB10
Here extract of a Whireshark trace (without the timestamps)
80.12.51.34 - 192.168.1.29 ISAKMP 442 IKE_SA_INIT MID=00 Initiator Request
192.168.1.29 - 80.12.51.34 ISAKMP 354 IKE_SA_INIT MID=00 Responder Response
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
192.168.1.29 - 80.12.51.34 ISAKMP 154 IKE_AUTH MID=01 Responder Response
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
Thanks
Christian
Mobile BB10-----INTERNET-----NAT gateway
80.12.51.34 Public: 78.229.20.105
: ckl.freeboxos.fr
Private:192.168.1.254/24
|
|
VPN (Pi)-----------(Home Network)
(Raspberry Pi) 192.168.1.0/24
192.168.1.29
Mobile BB10
Blackberry Z10 Client in the Internet, that establishes a tunneled
connection to the VPN gateway (Pi) in the home network
by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
NAT Gateway:
This device, serving as a NAT-router of the home network,
performs forwarding the VPN requests of my BB10
to the VPN gateway (Pi). The gateway is accessible by the
FQDN: "ckl.freeboxos.fr" from the internet.
Local IP address of the gateway is 192.168.1.254
VPN (Pi):
Acts as the other endpoint for the VPN connection to my
Home Network 192.168.1.0/24.
Uses the StrongSwan VPN library .
Goal:
My BB10 (from the Internet) to have access to my Home Network
StrongSwan (Version):
---------------------------------
Linux strongSwan U5.2.1/K4.4.13+
Port Forwarded on NAT Gateway
-----------------------------------------------
UDP 500,4500 -- Forwarded --> 192.168.1.29
Configuration BB10:
------------------------------
Profile Name : home
Server Address : 78.229.20.105
Gateway Type : Generic IKEv2 VPN Server
Authentication Type : EAP-MSCHAPv2
Authentication ID Type : email
ID Authentication : alice (not used can be enything)
MSCHAPv2 EAP Identity : alice (not used can be enything)
MSCHAPv2 Username : alice (-->username in ipsec.secrets)
MSCHAPv2 Password : alicepass (-->alice pasword in ipsec.secrets)
Gateway Auth Type : PSK
Gateway Auth ID Type : IPv4
Gateway Preshared Key : pskpass (-->PSK password in ipsec.secrets)
file /etc/sysctl.conf:
-----------------------------
net.ipv4.ip_forward = 1
file /etc/ipsec.secrets:
--------------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: PSK "pskpass"
alice : EAP "alicepass"
file /etc/ipsec.conf:
------------------------------
config setup
uniqueids=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=@ckl.freeboxos.fr
right=%any
rightsourceip=192.168.1.254/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
file /etc/strongswan.conf :
-----------------------------------
charon {
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509
curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2 eap-identity updown
}
Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN
network to its physical network adapter
---------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
More information about the Users
mailing list