(Here again the same message with better formating relative to gmail)
Hello All,
I'm struggling to get Strongswan to work with my Blackberry 10 without success.
Can you please help
I get every time a Delay connection error on my BB10
Here extract of a Whireshark trace (without the timestamps)
80.12.51.34 - 192.168.1.29 ISAKMP 442 IKE_SA_INIT MID=00 Initiator Request
192.168.1.29 - 80.12.51.34 ISAKMP 354 IKE_SA_INIT MID=00 Responder Response
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
192.168.1.29 - 80.12.51.34 ISAKMP 154 IKE_AUTH MID=01 Responder Response
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
80.12.51.34 - 192.168.1.29 ISAKMP 330 IKE_AUTH MID=01 Initiator Request
Thanks
Christian
Mobile BB10-----INTERNET-----NAT gateway
80.12.51.34 Public: 78.229.20.105
: ckl.freeboxos.fr
Private:192.168.1.254/24
|
|
VPN (Pi)-----------(Home Network)
(Raspberry Pi) 192.168.1.0/24
192.168.1.29
Mobile BB10
Blackberry Z10 Client in the Internet, that establishes a tunneled
connection to the VPN gateway (Pi) in the home network
by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
NAT Gateway:
This device, serving as a NAT-router of the home network,
performs forwarding the VPN requests of my BB10
to the VPN gateway (Pi). The gateway is accessible by the
FQDN: "ckl.freeboxos.fr" from the internet.
Local IP address of the gateway is 192.168.1.254
VPN (Pi):
Acts as the other endpoint for the VPN connection to my
Home Network 192.168.1.0/24.
Uses the StrongSwan VPN library .
Goal:
My BB10 (from the Internet) to have access to my Home Network
StrongSwan (Version):
---------------------------------
Linux strongSwan U5.2.1/K4.4.13+
Port Forwarded on NAT Gateway
-----------------------------------------------
UDP 500,4500 -- Forwarded --> 192.168.1.29
Configuration BB10:
------------------------------
Profile Name : home
Server Address : 78.229.20.105
Gateway Type : Generic IKEv2 VPN Server
Authentication Type : EAP-MSCHAPv2
Authentication ID Type : email
ID Authentication : alice (not used can be enything)
MSCHAPv2 EAP Identity : alice (not used can be enything)
MSCHAPv2 Username : alice (-->username in ipsec.secrets)
MSCHAPv2 Password : alicepass (-->alice pasword in ipsec.secrets)
Gateway Auth Type : PSK
Gateway Auth ID Type : IPv4
Gateway Preshared Key : pskpass (-->PSK password in ipsec.secrets)
file /etc/sysctl.conf:
-----------------------------
net.ipv4.ip_forward = 1
file /etc/ipsec.secrets:
--------------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: PSK "pskpass"
alice : EAP "alicepass"
file /etc/ipsec.conf:
------------------------------
config setup
uniqueids=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
[email protected]
right=%any
rightsourceip=192.168.1.254/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
file /etc/strongswan.conf :
-----------------------------------
charon {
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509
curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2 eap-identity updown
}
Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN
network to its physical network adapter
---------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
