Hi, Have fully working setup OpenIKEd + Win7x64 using IKEv2 and MSCHAP-v2 but BlackBerry device stop negotiating and fail while connecting. Exact BlackBerry SW version is: 10.3.2.2836.
Cert and 2048bit key in *.P12 form transferred to BlackBerry device. 10.0.20.0/24 is local network 10.0.10.0/24 is IPsec network DNS server is 10.0.20.1 /etc/iked.conf is: ikev2 "winauth" passive esp \ from 10.0.20.0/24 to 10.0.10.0/24 \ local IP_of_server peer any \ srcid myserver.domain \ eap "mschap-v2" \ config address 10.0.10.10 \ config netmask 255.255.255.0 \ config name-server 10.0.20.1 \ # ikesa auth hmac-sha1 enc 3des group modp2048 \ # childsa auth hmac-sha1 enc aes-256 group modp2048 \ tag "$name-$id" OBSD has working PF setup to allow IPSEC traffic {isakmp, ipsec-nat-t} and both protos {ah, esp}. Trying to make the same setup with BlackBerry 10.3.2.2836 OS using the same /etc/iked.conf. In BlackBerry phone tried various profiles (general profile is listed below): --------------------------------------- Server address: IP_of_server Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN Server, but unsuccessful too) Auth Type: EAP-MSCHAPv2 Authentication ID Type: FQDN Auth ID: myserver.domain MSCHAPv2 EAP Identity: username MSCHAPv2 EAP Identity: username MSCHAPv2 Password: userpass Gateway Auth Type: PKI Gateway Auth ID Type: FQDN Gateway Auth ID: myserver.domain Allow Untrusted Cert: Prompt Gateway CA Cert: CAmyserver.domain.name Perfect Forward Secrecy: set_to_YES Auto IP: set_to_YES Auto DNS: set_to_YES Auto Determine Algorithm: set_to_YES IKE lifetime in Sec.: 86400 IPSec Lifetime: 10800 NAT Keep Alive: 30 DPD Frequency: 240 Use Proxy: set_to_NO ----------------------------- #iked -dvv negotiating with BlackBerry phone: ... ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 240 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 240/240 padding 15 ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00 length 19 ikev2_pld_id: id FQDN/myserver.domain length 15 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 0x00 length 5 ikev2_pld_certreq: type X509_CERT signatures length 0 ikev2_pld_certreq: invalid certificate request ikev2_resp_recv: failed to parse message The same connection works fine between Win7 and iked. Log of iked is below: ... ikev2_msg_decrypt: encrypted payload length 160 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 160/160 padding 7 ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 28 ikev2_pld_auth: method SHARED_KEY_MIC length 20 ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 32 ikev2_pld_cp: type REPLY length 24 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x84ea51d8 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255 ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500, 212 bytes, NAT-T pfkey_sa_add: update spi 0x84ea51d8 pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8 pfkey_sa_add: add spi 0xcfea0559 pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559 ikev2_childsa_enable: loaded flow 0x20527e400 ikev2_childsa_enable: loaded flow 0x204a56800 sa_state: EAP_VALID -> ESTABLISHED from IP_of_client:4500 to IP_of_server:4500 policy 'winauth' Or what phone model (Brand) I can use to have IPSEC working on the road? Thanks.