[Warios]

Strongswan IKEv2 BB10

**(im not responsible if your machine becomes alive and eat your cat or becommes BRICK , BEE CAREFUL)**

GUIDE for RaspberryPI (Raspbian OS)

*tested on openWRT (trunk) with same configurations different install procedure*
(should work on any Linux distro with Strongswan 5.0.4)


1.INSTALL STRONGSWAN 5.0.4:

Code:

sudo nano /etc/apt/sources.list

(add line )

Code:

deb http://p.quinput.eu/debfarm/ unstable all

Code:

sudo apt-get-update
sudo apt-get install strongswan

2. FIREWALL:

Code:

sudo  iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

3.KERNEL PARAMETERS:

Code:

sudo nano /etc/sysctl.conf

(add or correct)

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.arp_accept = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1



4.make backup of existing conf:

Code:

sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup
sudo cp /etc/strongswan.conf /etc/strongswan.conf.backup
sudo rm /etc/ipsec.conf
sudo rm /etc/strongswan.conf

5. MAKE NEW .CONF FILES:

Code:

sudo nano /etc/ipsec.conf

config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=xxx.xxx.xxx.xxx #(What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)
right=%any
rightsourceip=192.168.2.1/29 #(if behind router check your router ip MUST be different, my router ip is 192.168.10.1)
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

Code:

sudo nano /etc/ipsec.secrets

(add to bottom)

: PSK "FREE_CHOICE1" #(Gateway Preshared Key)
alice : EAP "FREE_CHOICE2" #(MSCHAPv2 Username)
bob : EAP "FREE_CHOICE3" #(MSCHAPv2 Password)

Code:

sudo nano/etc/strongswan.conf

charon {
threads = 16
dns1 = 208.67.222.222 #(itsOpenDNS you can choose yours)
dns2 = 208.67.220.220
}

pluto {
}

libstrongswan {
}

5(a)
PORTS TO OPEN UDP 500,4500

6.CONNECT TO BB10:

Profile Name: (free choice)
Server Address: VPN's public IP (What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4(playbook) / email(BB Z/Q10 e mail doesent matter can be enything) (CAUTION)
MSCHAPv2 EAP Identity: (can be enything)
MSCHAPv2 Username: (alice , username in ipsec.secrets)
MSCHAPv2 Password: (FREE_CHOICE2 ,alice pasword in ipsec.secrets)
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: (PSK password in ipsec.secrets)

*everything else default!

REMEMBER for connecting must be on different connection eg. 3G/LTE or frend's

IF SERVER REBOTS REMEMBER TO SET IPTABLES AGAIN (or just google how to set iptables)


7.thx to blogers :teebeenator , Howard

here is pastebin of the same guide : Strongswan for BB10 :: lpaste ? Lambda pastebin

i hope this guide will help ! regards Wario
ps. for this you need some linux knowledge not for beginners , im not responsible if your machine becomes alive or explode

[qbnkelt]

Strongswan IKEv2 BB10

**(im not responsible if your machine becomes alive and eat your cat or becommes BRICK , BEE CAREFUL)**

GUIDE for RaspberryPI (Raspbian OS)

*tested on openWRT (trunk) with same configurations different install procedure*
(should work on any Linux distro with Strongswan 5.0.4)


1.INSTALL STRONGSWAN 5.0.4:

Code:

sudo nano /etc/apt/sources.list

(add line )

Code:

deb http://p.quinput.eu/debfarm/ unstable all

Code:

sudo apt-get-update
sudo apt-get install strongswan

2. FIREWALL:

Code:

sudo  iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

3.KERNEL PARAMETERS:

Code:

sudo nano /etc/sysctl.conf

(add or correct)

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.arp_accept = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1



4.make backup of existing conf:

Code:

sudo cp /etc/ipsec.conf /etc/ipsec.conf.backup
sudo cp /etc/strongswan.conf /etc/strongswan.conf.backup
sudo rm /etc/ipsec.conf
sudo rm /etc/strongswan.conf

5. MAKE NEW .CONF FILES:

Code:

sudo nano /etc/ipsec.conf

config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=xxx.xxx.xxx.xxx #(What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)
right=%any
rightsourceip=192.168.2.1/29 #(if behind router check your router ip MUST be different, my router ip is 192.168.10.1)
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

Code:

sudo nano /etc/ipsec.secrets

(add to bottom)

: PSK "FREE_CHOICE1" #(Gateway Preshared Key)
alice : EAP "FREE_CHOICE2" #(MSCHAPv2 Username)
bob : EAP "FREE_CHOICE3" #(MSCHAPv2 Password)

Code:

sudo nano/etc/strongswan.conf

charon {
threads = 16
dns1 = 208.67.222.222 #(itsOpenDNS you can choose yours)
dns2 = 208.67.220.220
}

pluto {
}

libstrongswan {
}



6.CONNECT TO BB10:

Profile Name: (free choice)
Server Address: VPN's public IP (What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more...)
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4(playbook) / email(BB Z/Q10 e mail doesent matter can be enything) (CAUTION)
MSCHAPv2 EAP Identity: (can be enything)
MSCHAPv2 Username: (alice , username in ipsec.secrets)
MSCHAPv2 Password: (FREE_CHOICE2 ,alice pasword in ipsec.secrets)
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: (PSK password in ipsec.secrets)

*everything else default!

REMEMBER for connecting must be on different connection eg. 3G/LTE or frend's


7.thx to blogers :teebeenator , Howard

here is pastebin of the same guide : Strongswan for BB10 :: lpaste ? Lambda pastebin

i hope this guide will help ! regards Wario
ps. for this you need some linux knowledge not for beginners , im not responsible if your machine becomes alive or explode

ooooooofffff......I don't want my machine to eat my cat.....thanks for sharing, but I'm a bit of a chicken....

[turboclean]

I don't like cats so i tried this and it worked... pretty awesome

[Chriz]

Thank you very much for this guide. :-)
What a pity I am not at home for the next 2 weeks. :-(


Posted via CB10

[Warios]

WIP (work in process) for auto update external IP for people with dynamicIP or option to send email with IP from server (so you can choose)
DDNS not working without certificate

[qwerty4ever]

I don't like cats so i tried this and it worked... pretty awesome

Does your residential ISP allow you to have servers?

Posted via CB10 from the BlackBerry Z10

[Warios]

Does your residential ISP allow you to have servers?

Posted via CB10 from the BlackBerry Z10

here in DK you can open ports on routers/gateway (those you get from ISP) , if you can acces router/gateway just open it or contact them and ask to open ports for you !

[Warios]

blog open vith guides for VPN , iptables and dynamic IP update (automatic) , its easier for me to add and edit things !

http://wario-linux.blogspot.dk/

[ddddafadf]

Never run commands you find on the Internet without knowing what they do. Please add some explanation as to what exactly this is doing for people who might not know. And explain the packages you installed.

Join the Surge Co. Channel! C001213C9

[Warios]

yes i vil do that ! thx for advice ,

[Chriz]

Hi Warios,
i have got a Problem.
My Router has got +150 local IP Adresses after i start the Strongswan Server and all IP�s are the pi. How can i fix this?

Thanks in advance
Chris

[Warios]

Hi Warios,
i have got a Problem.
My Router has got +150 local IP Adresses after i start the Strongswan Server and all IP�s are the pi. How can i fix this?

Thanks in advance
Chris

did you set static ip on your server ? and its strange just check on my servers for that and i dont get those ?

[vipernig]

Alright so I followed this guide and this is what I got. I managed to connect to my internal network. So when i type my router address I can log into it and I can access my other Pi servers from my Q10 as though I was inside my network. But I do not get access to the internet. Meaning that in the browser I do not get anything. Why I am to vpn is to get access to my network and when I suf on the phone all trafic be encrypted and secure and have a proxy to filter add servers. Now I have no internet. When I look at the log in the q10 I get something very interesting. This entry:

[Raspberry Pi home][msm0]#2 default gateway - 25.56.129.41.

I was like WTF is that IP. So i do a reverse lookpup and BAM this:

IP Lookup Location For IP Address: 25.56.129.41
Continent: Europe (EU)
Country: United Kingdom (GB)
Capital: London
State: Unknown
City Location: Unknown
ISP: DINSA, Ministry of Defence
Organization: DINSA, Ministry of Defence
Time zone: Europe/London

So WTF is going on here. Why do I have this. Needless to to say i stopped the Strongswan Ipsec daemon.

So any one has a clue?


EDIT:
Alright so I got the internet going by fixing this line:

The guide has this in theipsec.conf:
rightsourceip=192.168.2.1/29 #(if behind router check your router ip MUST be different, my router ip is 192.168.10.1)

I changed it to this:

rightsourceip=%dhcp

So that it uses my routers dhpc server. So now the phone is vitually on my network. Next step add privoxy to advert filter all connections going to the outside from this Pi server. This weird IP is still worrysome though

[vipernig]

BTW is it me or this uses massive amount of data. I browsed to ign.com and I was having a look at the realtime ip bandwidth on the pi and just loading a couple of pages used 90mb upload and 90mb download. I hope this doesn't mean that I used 180mb of LTE data just to browse for 5 minutes.

[xACiD]

might give this a try. i was thinking about going openvpn on a spare pi i have but if this works with bb10 (openvpn currently does not) i'll give it a shot.

[xACiD]

i have strongswan insalled on my pi, partly due to this tutorial and others that i found online. works great from my bb10 phone but having issues on windows 8.

i can get my CA.crt installed to the trusted root certificate folder in mmc, but i'm not sure what to do with the cakey.pem. it looks like windows doesn't know what to do with it, and i've tried converting to .p12 with no success. if i use mschapv2, username/pw fails, and with machine certification i get 'IKE failed to find machine certificate'
any ideas?

[Warios]

sry i dont have Winmachine so i cant test that !

try to check this link

i have strongswan insalled on my pi, partly due to this tutorial and others that i found online. works great from my bb10 phone but having issues on windows 8.

i can get my CA.crt installed to the trusted root certificate folder in mmc, but i'm not sure what to do with the cakey.pem. it looks like windows doesn't know what to do with it, and i've tried converting to .p12 with no success. if i use mschapv2, username/pw fails, and with machine certification i get 'IKE failed to find machine certificate'
any ideas?

[qwerty4ever]

here in DK you can open ports on routers/gateway (those you get from ISP) , if you can acces router/gateway just open it or contact them and ask to open ports for you !

You're fortunate in Denmark. In Canada the residential ISPS block all inbound ports.

Posted via the BlackBerry Q5 using CB10.

[fidalhosle]

Everything You Need to Know About Your 127.0.0.1 IP Address
The driving force guiding each of the names of the web addresses of Websites are a group of numbers known as IP addresses. IP is short for Internet Protocol, and represents the main network layer for use on the Internet.
What is My IP - 127.0.0.1?
This specific IP address, also referred to as a local host, is the groundwork for which loop back connections are handled.
Loopback indicates returning back, which is exactly what 127.0.0.1 does, since it is the address of your unit. Making use of telnet, file transfer protocol, or try in in any manner to get to 127.0.0.1, you will end up back to the hosting server, which is your computer.
On the other hand, it is just the first three numbers (127) that are required; make use of a variety combination with 127 and the outcome will be the exact same if you type it into your address bar.

[hertomas]

I have followed all the steps and everything works just fine, only problem is when my raspberry is connected to my network my router is unable to affect dhcp IP's to all my devices, I have to use static IP with Mac to make them work, a soon as I turnoff or unhook my raspberry my router dhcp works again as it should be... any idea what parameter is causing this conflict in my raspberry !?

[DrBoomBotz]

I have followed all the steps and everything works just fine, only problem is when my raspberry is connected to my network my router is unable to affect dhcp IP's to all my devices, I have to use static IP with Mac to make them work, a soon as I turnoff or unhook my raspberry my router dhcp works again as it should be... any idea what parameter is causing this conflict in my raspberry !?

You should only have one DHCP server per broadcast domain.

[hertomas]

It's the case, having only one dhcp server/router and my raspberry configuration as mentioned in this forum.
Any chance my raspberry is acting as a dhcp and doing a conflict in my local lan!? Any command that I can use to check this conflict !?
I do not have dhcp server installed on my raspberry and I'm using a different IP range than my local lan under rightsourceip.
My router dhcp = 192.168.0.x
My raspberry rightsourceip = 10.10.0.x
When my raspberry is connected, my devices try to obtain an automatic IP from my router and they are ending up with a 169.254.... instead of 192.168... , when raspberry is disconnected all goes well.

[DrBoomBotz]

It's the case, having only one dhcp server/router and my raspberry configuration as mentioned in this forum.
Any chance my raspberry is acting as a dhcp and doing a conflict in my local lan!? Any command that I can use to check this conflict !?
I do not have dhcp server installed on my raspberry and I'm using a different IP range than my local lan under rightsourceip.
My router dhcp = 192.168.0.x
My raspberry rightsourceip = 10.10.0.x
When my raspberry is connected, my devices try to obtain an automatic IP from my router and they are ending up with a 169.254.... instead of 192.168... , when raspberry is disconnected all goes well.

Maybe someone else has the fortitude to hold your hand through this, I'm too tired.

Wireshark https://www.wireshark.org/ will allow you to see what is happening on the wire.

The following links will explain what your are seeing.

https://www.ietf.org/rfc/rfc2131.txt

https://en.wikipedia.org/wiki/Zero-c...ion_networking

[hertomas]

Thanks for your time

BlackBerry Passport SE

[hertomas]

Anyone else is able to share his experience and probably help me find a solution to my problem !?

BlackBerry Passport SE