[strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi

Wed Jul 20 09:05:58 CEST 2016

Hi!

As per my understanding, You're absolutely newbie in all those things about
VPN, so I HIGHLY recommend You start with simple PSK based EAP-MSCHAPv2
without any certificates. Than, You'll can to start with sertificates after
succesful install VPN. So again, start with crackberry, I can't remember
exact topic name, something about Amazon and VPN.

Everything above is IMHO, of course.

Now about You current config. Log clearly says You haven't private key for
Your certificate. So, what You should to have in few words:
- on server side if You want PKI for its authentication
CA certificate ONLY (without private key!!!)
server PRIVATE key, not CA private key!
server certificate
- on client side, if You want its PSK auth on server side
CA certificate ONLY
- on client side, if You want its PKI auth on server side, add from above
next things:
client private key, not CA private key!
client certificate

NEVER EVER put Your CA private key close to public access.
And PLEASE read sources about PKI infrastructure carefully before You start
Your tries using it.

----- Исходное сообщение ----- 
От: "Christian Klugesherz" <christian.klugesherz at gmail.com>
Кому: "Yuri D" <p_port at mail.ru>
Копия: "Tobias Brunner" <tobias at strongswan.org>;
<Users at lists.strongswan.org>
Отправлено: 19 июля 2016 г. 18:34
Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi

Hi Yuri,

Thanks for this information, which definitively don't simplify the task...
:-(
My BB OS is 10.3.2.2836
Yes, I spent a lot on crackberry.com and other VPN-BB implementation
sites, unfortunately I didn't succeed for now. :-(

I'm bit surprised relative to VPN IP6, because I can see some incoming
traffic on my Raspberry.
My VPN is behind my NAT-Router

I will try to fix the current issue for now, because to switch to IPV6
might to be a big challenge for me.

Jul 19 14:43:57 raspberrypi charon: 16[CFG] selected peer config 'BB10'
Jul 19 14:43:57 raspberrypi charon: 16[IKE] initiating EAP_MSCHAPV2
method (id 0x0F)
Jul 19 14:43:57 raspberrypi charon: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 14:43:57 raspberrypi charon: 16[IKE] no private key found for
'ckl.freeboxos.fr'

 Regards

Christian

2016-07-19 17:16 GMT+02:00 Yuri D <p_port at mail.ru>:
> Hi!
>
> So, as You have BB device, You can find good how-to on crackberry.com for
> PSK-based VPN IPv4 with Strongswan. That how-to about Amason service, not
> Raspberry device, but You can transfer it with ease. I tested it and it
> works definitely.
> Another thing You should to keep in mind - BB OS 10.3.0 and upper uses
IPv6
> for its services, so simple IPv4 shuts down everything from BBM voice to
BB
> Link and Blend.
> So, You have 2 ways:
> 1) You can stay on OS 10.2 and You'll be ready to use everything with IPv4
> or
> 2) You must to expand VPN to IPv6 for OS 10.3
>
> Regards,
> Yuri
>
> ----- Исходное сообщение -----
> От: "Tobias Brunner" <tobias at strongswan.org>
> Кому: "Christian Klugesherz" <christian.klugesherz at gmail.com>
> Копия: <Users at lists.strongswan.org>
> Отправлено: 19 июля 2016 г. 16:21
> Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi
>
>
>> Hi Christian,
>>
>> > Nevertheless, by removing: `eap_identity` I got the same result.
>>
>> You might need it, but that depends on the client.
>>
>> > On basis, I wanted to use StrongSwan as simple as possible without
>> > certificates CA.
>>
>> That probably won't work as authenticating clients with EAP requires
>> authenticating the server with a certificate to be standard-compliant
>> (RFC 7296, section 2.16).  strongSwan can be configured to combine EAP
>> with PSK authentication.  But that's not recommended, as anybody knowing
>> it could impersonate the server, and most other implementations probably
>> don't support this combination.  Using EAP-only authentication is also
>> possible, if supported by the peer, but that calls for a strong mutual
>> EAP method like EAP-TLS (EAP-MSCHAPv2 is not one).
>>
>> > Does that mean that in any case, you have to set-up a CA in order to
>> > use strongSwan ?
>> > Even with a VPN IKEv2 with preshared Key ?
>>
>> No.  If the client supports it you could, of course, use plain PSK
>> authentication (i.e. without EAP).  Even though it's not recommended for
>> larger roadwarrior deployments (again, anybody knowing the PSK could
>> impersonate the server).
>>
>> Setting up a simple PKI (one CA certificate, one server certificate) is
>> quite easy (see previous link).  You could also use a free certificate
>> from Let's Encrypt or StartSSL, which your client might already trust,
>> which would relieve you from having to install your own CA certificate
>> on the clients.
>>
>> Regards,
>> Tobias
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>