[strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi
Christian Klugesherz
christian.klugesherz at gmail.com
Wed Jul 13 18:33:41 CEST 2016
Hello All,
Please I need your Help
I'm struggling (Weeks ..) to get Strongswan to work with my Blackberry Z10
Without success.
Can you please help
I get every time a Delay connection error on my BB10
Is the issue linked to : "loading EAP_MSCHAPV2 method failed" ?
What is wrong in my configuration ?
Thanks
Christian
===================================SYSLOG=======================================
[NET] received packet: from 80.12.38.224[3714] to 192.168.1.29[500] (400 bytes)
[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
[IKE] 80.12.38.224 is initiating an IKE_SA
[IKE] local host is behind NAT, sending keep alives
[IKE] remote host is behind NAT
[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
[NET] sending packet: from 192.168.1.29[500] to 80.12.38.224[3714] (312 bytes)
[NET] received packet: from 80.12.38.224[4500] to 192.168.1.29[4500] (284 bytes)
[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS
VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
[CFG] looking for peer configs matching 192.168.1.29[%any]...80.12.38.224[alice]
[CFG] selected peer config 'BB10'
[IKE] loading EAP_MSCHAPV2 method failed
[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
[NET] sending packet: from 192.168.1.29[4500] to 80.12.38.224[4500] (108 bytes)
===================================TOPOLOGY=====================================
(In case diagram is not showed correctly, please to copy/paste in a Textditor)
+-------------+
| |
+---------------+ Private | NAT Gateway | Public +----------+
| 192.168.1.254/24 | | 78.229.20.105 |
| +-------------+ ckl.freeboxos.fr |
+ |
XXXXXXXXXXXXXXXX |
XX XX |
X (Home Network) XX +
XX 192.168.1.0/24 XX XXXXXXXXXXXXXXX
XXX XXX XXXXXXX XXXX
XXXXXXXXXXXXXX XXX XX
+ X XX
| XX INTERNET X
| XXX X
+---+ XX XX
| XXXXX XXX
+ XXXXXXX+XXXXXXXX
192.168.1.29 |
+--------+ +++
| VPN Pi | | | Roadwarrior
+-+------+ | | Mobile BB10
^ | | 80.12.51.34
| +++
| ^
| +----------------------------------------+ |
+---> | VPN Network Tunnel Address 10.0.0.0/16 | <------+
+----------------------------------------+
================================================================================
Goal:
My BB10 (from the Internet) to have access to my Home Network
Mobile BB10:
Blackberry Z10 Client in the Internet, that establishes a tunneled
connection to the VPN gateway (Pi) in the home network
by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
NAT Gateway:
This device, serving as a NAT-router of the home network,
performs forwarding the VPN requests of my BB10
to the VPN gateway (Pi). The gateway is accessible by the
FQDN: "ckl.freeboxos.fr" from the internet.
Local IP address of the gateway is 192.168.1.254
VPN (Pi):
Acts as the other endpoint for the VPN connection to my
Home Network 192.168.1.0/24.
Uses the StrongSwan VPN library .
StrongSwan (Version):
Linux strongSwan U5.2.1/K4.4.13+
Port Forwarded on NAT Gateway
UDP 500,4500 -- Forwarded --> 192.168.1.29
===============================CONFIGURATION====================================
----------------------
file /etc/sysctl.conf:
----------------------
# ADD or SET in File
net.ipv4.ip_forward = 1
-------------------------
file /etc/ipsec.secrets:
-------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: PSK "123456#" #(Gateway Preshared Key)
alice : EAP "alicep" #(MSCHAPv2 Username + Password)
----------------------
file /etc/ipsec.conf:
----------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
# https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
config setup
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
conn BB10
leftid=@ckl.freeboxos.fr
left=%defaultroute
leftfirewall=yes
#leftsubnet=0.0.0.0/0
leftsubnet=192.168.1.0/24
right=%any
rightsourceip=10.0.0.0/16
rightdns=192.168.1.254
rightauth=eap-mschapv2
rightsendcert=never
auto=add
---------------------------
file /etc/strongswan.conf :
---------------------------
charon {
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509
curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2 eap-identity updown
}
===================================IPTABLES=====================================
Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN network
to its physical network adapter:
$ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -m policy
--dir out --pol ipsec -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
============================Configuration on BB10===============================
-------------------
Profile Name : home
Server Address : 78.229.20.105
Gateway Type : Generic IKEv2 VPN Server
Authentication Type : EAP-MSCHAPv2
Authentication ID Type : email
ID Authentication : alice (not used can be enything)
MSCHAPv2 EAP Identity : alice (not used can be enything)
MSCHAPv2 Username : alice (-->username in ipsec.secrets)
MSCHAPv2 Password : alicep (-->alice pasword in ipsec.secrets)
Gateway Auth Type : PSK
Gateway Auth ID Type : IPv4
Gateway Preshared Key : 123456# (-->PSK password in ipsec.secrets)
More information about the Users
mailing list