[strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi

Tue Jul 19 17:34:53 CEST 2016

Hi Yuri,

Thanks for this information, which definitively don't simplify the task... :-(
My BB OS is 10.3.2.2836
Yes, I spent a lot on crackberry.com and other VPN-BB implementation
sites, unfortunately I didn't succeed for now. :-(

I'm bit surprised relative to VPN IP6, because I can see some incoming
traffic on my Raspberry.
My VPN is behind my NAT-Router

I will try to fix the current issue for now, because to switch to IPV6
might to be a big challenge for me.

Jul 19 14:43:57 raspberrypi charon: 16[CFG] selected peer config 'BB10'
Jul 19 14:43:57 raspberrypi charon: 16[IKE] initiating EAP_MSCHAPV2
method (id 0x0F)
Jul 19 14:43:57 raspberrypi charon: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 14:43:57 raspberrypi charon: 16[IKE] no private key found for
'ckl.freeboxos.fr'

 Regards

Christian

2016-07-19 17:16 GMT+02:00 Yuri D <p_port at mail.ru>:
> Hi!
>
> So, as You have BB device, You can find good how-to on crackberry.com for
> PSK-based VPN IPv4 with Strongswan. That how-to about Amason service, not
> Raspberry device, but You can transfer it with ease. I tested it and it
> works definitely.
> Another thing You should to keep in mind - BB OS 10.3.0 and upper uses IPv6
> for its services, so simple IPv4 shuts down everything from BBM voice to BB
> Link and Blend.
> So, You have 2 ways:
> 1) You can stay on OS 10.2 and You'll be ready to use everything with IPv4
> or
> 2) You must to expand VPN to IPv6 for OS 10.3
>
> Regards,
> Yuri
>
> ----- Исходное сообщение -----
> От: "Tobias Brunner" <tobias at strongswan.org>
> Кому: "Christian Klugesherz" <christian.klugesherz at gmail.com>
> Копия: <Users at lists.strongswan.org>
> Отправлено: 19 июля 2016 г. 16:21
> Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi
>
>
>> Hi Christian,
>>
>> > Nevertheless, by removing: `eap_identity` I got the same result.
>>
>> You might need it, but that depends on the client.
>>
>> > On basis, I wanted to use StrongSwan as simple as possible without
>> > certificates CA.
>>
>> That probably won't work as authenticating clients with EAP requires
>> authenticating the server with a certificate to be standard-compliant
>> (RFC 7296, section 2.16).  strongSwan can be configured to combine EAP
>> with PSK authentication.  But that's not recommended, as anybody knowing
>> it could impersonate the server, and most other implementations probably
>> don't support this combination.  Using EAP-only authentication is also
>> possible, if supported by the peer, but that calls for a strong mutual
>> EAP method like EAP-TLS (EAP-MSCHAPv2 is not one).
>>
>> > Does that mean that in any case, you have to set-up a CA in order to
>> > use strongSwan ?
>> > Even with a VPN IKEv2 with preshared Key ?
>>
>> No.  If the client supports it you could, of course, use plain PSK
>> authentication (i.e. without EAP).  Even though it's not recommended for
>> larger roadwarrior deployments (again, anybody knowing the PSK could
>> impersonate the server).
>>
>> Setting up a simple PKI (one CA certificate, one server certificate) is
>> quite easy (see previous link).  You could also use a free certificate
>> from Let's Encrypt or StartSSL, which your client might already trust,
>> which would relieve you from having to install your own CA certificate
>> on the clients.
>>
>> Regards,
>> Tobias
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>