pfSense Support Subscription

Author Topic: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!  (Read 9630 times)

0 Members and 1 Guest are viewing this topic.

Offline dguy

  • Newbie
  • *
  • Posts: 14
  • Karma: +2/-0
    • View Profile
BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« on: November 29, 2013, 11:04:41 pm »
After a lot of trial and error I finally got this working and thought I would share.

My Settings...

Device: Blackberry Z10 (Software Release: 10.2.0.429)
Firewall: pfSense 2.1

The method that finally worked was using this document to a T.

https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

The device config that worked for me was the following:

BlackBerry Z10 Settings
Profile Name: Test
Server Address: 26.27.28.29 (couldn’t get to work with domain name)
Gateway Type: Cisco Secure PIX Firewall VPN
Authentication Type: XAUTH-PSK
Group Username: username@test.com
Group Password: Thisisjustatest
Hardware Token: OFF
Username: Tester
Password: 12345
Auto Determine IP: ON
Automatically Determine DNS: OFF (couldn't get to work when set to ON)
Primary DNS: 10.2.3.4
DNS Suffix: test.com
Automatically Determine Algorithm: ON
IKE Lifetime (Seconds): 86400
IPSec Lifetime (Seconds): 10800
NAT Keep Alive (Seconds): 30
DPD Frequency (Seconds): 240
Disable Banner: OFF
Use Proxy: OFF



Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #1 on: February 23, 2014, 04:50:26 pm »
I also have a Blackberry Z10 (10.2.1) but I am unable to establish a ipsec connection with my router (2.1-RELEASE (i386)). I have followed every step, but was not succesfull. After some time trying to connect I received a time out on the Blackberry.

https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 does not mention how to set up "Extended Authentication (Xauth)" on the Mobile clients tab. I have used "Local Database" (only available option) for User Authentication and "system" for Group Authentication. I have replaced "Primary DNS: 10.2.3.4" with my dns forwarder 192.168.1.1. (also tried with Opendns).

Then tried adjusting many setting without succes such as:
- enabled and disabled "Provide a DNS server list to clients" with 192.168.1.1
- enabled and disabled "Enable DPD" on phase 1

Any help would be much appreciated. I am very curious if your settings still work. Maybe we can exchange screenshots (of pfsense and Blackberry setting)?

Below more details (ipsec log). 

Feb 23 23:14:22    racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Feb 23 23:14:22    racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Feb 23 23:14:22    racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 23 23:14:22    racoon: INFO: Resize address pool from 0 to 253
Feb 23 23:14:22    racoon: [Self]: INFO: XX.XXX.180.6[4500] used for NAT-T
Feb 23 23:14:22    racoon: [Self]: INFO: XX.XXX.180.6[4500] used as isakmp port (fd=13)
Feb 23 23:14:22    racoon: [Self]: INFO: XX.XXX.180.6[500] used for NAT-T
Feb 23 23:14:22    racoon: [Self]: INFO: XX.XXX.180.6[500] used as isakmp port (fd=14)
Feb 23 23:14:24    racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Feb 23 23:14:24    racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Feb 23 23:14:24    racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 23 23:14:24    racoon: INFO: Resize address pool from 0 to 253
Feb 23 23:14:24    racoon: [Self]: INFO: XX.XXX.180.6[4500] used for NAT-T
Feb 23 23:14:24    racoon: [Self]: INFO: XX.XXX.180.6[4500] used as isakmp port (fd=19)
Feb 23 23:14:24    racoon: [Self]: INFO: XX.XXX.180.6[500] used for NAT-T
Feb 23 23:14:24    racoon: [Self]: INFO: XX.XXX.180.6[500] used as isakmp port (fd=22)
Feb 23 23:14:24    racoon: INFO: unsupported PF_KEY message REGISTER
Feb 23 23:14:24    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Feb 23 23:14:24    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Feb 23 23:16:03    racoon: [Self]: INFO: respond new phase 1 negotiation: XX.XXX.180.6[500]<=>XX.XX.45.186[500]
Feb 23 23:16:03    racoon: INFO: begin Aggressive mode.
Feb 23 23:16:03    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 23 23:16:03    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 23 23:16:03    racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 23 23:16:03    racoon: INFO: received Vendor ID: DPD
Feb 23 23:16:03    racoon: [92.69.45.186] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Feb 23 23:16:03    racoon: INFO: Adding remote and local NAT-D payloads.
Feb 23 23:16:03    racoon: [92.69.45.186] INFO: Hashing XX.XX.45.186[500] with algo #2 (NAT-T forced)
Feb 23 23:16:03    racoon: [Self]: [XX.XXX.180.6] INFO: Hashing XX.XXX.180.6[500] with algo #2 (NAT-T forced)
Feb 23 23:16:03    racoon: INFO: Adding xauth VID payload.
Feb 23 23:16:13    racoon: NOTIFY: the packet is retransmitted by XX.XX.45.186[500] (1).
Feb 23 23:16:23    racoon: NOTIFY: the packet is retransmitted by XX.XX.45.186[500] (1).

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #2 on: February 24, 2014, 07:30:17 am »
Got it working!

Exactly follow tutorials for Pfsense and Blackberry AND added following rules:
1) Allowed any on ipsec tab (already had that rule: was explicitly mentioned);
2) Added multiple NAT rules (outbound tab) for the new IPSEC subnet for WAN and Openvpn (figured this was needed as I have "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" enabled, as AON was needed for my Openvpn server to get working (router connects to privateinternetaccess via openvpn so all clients can benefit)
3) Allowed port 500 (ISAKMP) on wan tab
4) Allowed port 4500 (IPSEC NAT-T) on wan tab (needed?)

When I added number 2) I was able to establish VPN connection from my guest wifi (shielded from my LAN), but did not get it working on mobile connection (3G). When I added number 3) and 4) I was also able to establisch VPN connection from mobile data connection.

Next following days I will try to harden security (try disabling some nat rules of number 2) and disable 4) and see if connection is still working.

Any else have there Blackberry Z10 working with Pfsense? What settings do you use?

Offline downtown

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-1
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #3 on: August 07, 2014, 01:26:45 am »
I got this working with the instructions by dguy and rules added by newbie1975.  Exception: item number 2 by newbie1975 didn't apply to my setup as I don't use Manual Outbound NAT.

One hitch:  When I tap the connection to connect on the BB10, I get the message: VPN connection [Connection Name] requires additional information.  When I click Continue it works fine.

pfSense: 2.1.4-RELEASE
Blackberry: Z10 10.2.1.2977

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #4 on: August 30, 2014, 01:16:09 pm »
@downtown: Do not recognise message "VPN connection [Connection Name] requires additional information". Some not mandatory information/settings must be missing on PfSense or Blackberry?

URL (https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0) recommends encryption algorithm AES 128 and hash algorithm SHA1 (both for phase 1 and 2). I have "upgraded" my PfSense settings AND Blackberry settings to AES256 and SHA256 (both for phase 1 and 2). All is working fine! I do not understand why the link mentions SHA1 (for phase 2 it even says SHA1 *only*) as I have read that SHA1 may have flaws and as SHA256 also seems to work fine for me.

===

Might not be the right forum for my following question, but I do not know any (other technically oriented) website for Blackberry connection/vpn issues.

Currently my Blackberry is configured to automatically connect to my router over vpn (ipsec) when mobile data is enabled, but not when using my home wifi (as PfSense is taking care of a vpn connection for all clients). Normally Blackberry first tries to connects to any known wifi networks and when not available it uses a mobile data connection. But it seems that this connection order is overruled when a vpn is configured to automatically connect (which I have configured with mobile data). Now I have to manually disable mobile data connection in order to use my wifi. Maybe somebody solved this minor inconvenience?
« Last Edit: August 30, 2014, 01:32:13 pm by newbie1975 »

Offline i68040

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #5 on: December 23, 2014, 09:02:28 am »

Any else have there Blackberry Z10 working with Pfsense? What settings do you use?


I use a BlackBerry Q10 and documented what I did to get this working here: http://boredwookie.net/index.php/blog/how-get-pfsense-ipsec-vpn-work-bb10/

The main things that I did differently than your configuration were:
- Configuring a Squid proxy so I can browse the internet when using the VPN
- Manually assigning the DNS Server in the device profile on my BlackBerry instead of relying on Mobile Settings (which didn't work)

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING! (no longer on 2.2)
« Reply #6 on: January 25, 2015, 04:51:13 pm »
After upgrading today to pfSense 2.2 my ipsec connection no longer works as expected. My mobile does connect, but no longer internet traffic is sent through the ipsec tunnel. All internet traffic is sent directly through my mobile 3g subscription. Seems related to: https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes

"Behavior changes where an incorrect configuration that worked before no longer will – There may be things that worked with racoon which were technically not configured correctly, but still worked. The only instance of this we’ve seen is for mobile IPsec clients, where Internet traffic could pass in some circumstances without having specified 0.0.0.0/0 as the local network in the mobile phase 2 configuration. If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0.0.0.0/0 as the local network."

I have changed my phase 2 local subnet from LAN to 0.0.0.0/0 but then my Blackberry Z10 will not connect anymore.

Also tried to switch from agressive mode to main mode:

Changes in behavior because of this change may trigger bugs in remote endpoints that weren't previously an issue. Those using racoon (pfSense 2.1.x and earlier, among a variety of other similar products) on remote endpoints with aggressive mode may encounter a bug in racoon related to NAT-D and aggressive mode. Any site to site IPsec VPNs using aggressive mode with racoon as a remote endpoint should change to main mode to prevent this from being an issue. Main mode is preferable regardless.

But this also does not work. My mobile will not connect anymore. Maybe related to: https://forum.pfsense.org/index.php?topic=87281.0
PSK does not seem to work with main mode?

Anyone have the same issues and maybe a solution in order to force all internet traffic from Blackberry 10 through ipsec tunnel?
« Last Edit: January 25, 2015, 05:00:17 pm by newbie1975 »

Offline downtown

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-1
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #7 on: January 27, 2015, 01:43:21 am »
@newbie1975

Same here.  Upgraded and now no connection.   I'm getting a timeout.  The logs say that I'm authenticated, but then I get a timeout.


Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #8 on: January 28, 2015, 04:25:08 pm »
I did roll back to 2.1.5. Currently 2.2 does not seem production ready regarding ipsec.

Offline ThomasB

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #9 on: March 29, 2015, 04:50:46 am »
Could the problem be solved by the new 2.2.1 version?

Thanks!

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING! (no longer on 2.2)
« Reply #10 on: May 11, 2015, 02:57:12 am »
No. Did not work for me on 2.2.1 or 2.2.2. I am not upgrading, staying with 2.1.5. There are still too much issues with ipsec on 2.2.1 / 2.2.2.

Offline ThomasB

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #11 on: August 16, 2015, 04:50:37 am »
It seems that 2.2.4 is much better than the previous versions.

Has anyone tested the new scenario? Otherwise I'll give it a try.

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #12 on: August 16, 2015, 06:00:26 am »
Did not try. At the moment I do not have time for testing. I very curious about your testing! Are you going to test a direct upgrade of 2.1.5 to 2.2.4? Also very curious if ipsec ikev2 is working with BlackBerry.

Good luck with testing!

Offline ThomasB

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #13 on: August 17, 2015, 03:53:39 am »
I will build a basic testing system with new hardware and a fresh 2.2.4 pfSense.

At the moment the only problem is that our dealer can't deliver the ordered hardware. So we (our company & the thread followers  :P) have to wait approximately two or three weeks.
Nevertheless I am quiet optimistic  :)

If there are any other tests or known issues or working systems (@ BlackBerry OS 10.3), please leave a note in this thread.

Offline newbie1975

  • Newbie
  • *
  • Posts: 20
  • Karma: +2/-0
    • View Profile
Re: BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!
« Reply #14 on: October 19, 2015, 09:50:28 am »
@ThomasB: any updates re your basic testing  system and Ipsec/BlackBerry VPN connections?