[Palda]

Last month I have configured strongswan on Ubuntu server using this script (manually entering the commands from the script) and it works flawlessly. I use ufw as firewall on the server and if I remember I had to allow the necessary ports for the ipsec traffic - 500 I believe?

Posted via CB10

[Rebelllious]

I use ufw as firewall on the server and if I remember I had to allow the necessary ports for the ipsec traffic - 500 I believe?

UDP 500 and UDP 4500.

[Rebelllious]

Has anyone done this with strongswan 5.3.5? There have been a lot of updates and I'd like to use the latest software. I tried following the script but I'm missing something. I'm able to connect to the server, but I can't get out. I believe I have done everything correctly but I have a feeling somehow iptables is causing the trouble.

Actually, it looks like a DNS issue. I can access websites via IP but not by name. The configuration for strongswan changed a bit it looks like and recommends putting the dns entries in another file, which I did, but no luck.

In my script, iptables is configured to allow all possible access outside. For me, your case looks like disabled packet forwarding in /etc/sysctl.conf - in that case you always get connected to the server, but you never get further than that, i.e. no Internet connectivity

Code:

net.ipv4.ip_forward = 0

should become

Code:

net.ipv4.ip_forward = 1

[revnil]

Hey thanks for the reply!

net.ipv4.ip_forward = 1 is set in that file.
I played around with it a bit more last night. I can hit ip addresses of websites, but not by domain name. In the latest strongswan it looks like they have divided out the config files. the strongswan.conf includes /etc/strongswan.d/*.conf and strongswan.d/charon/*.conf files. So I put the DNS entries in charon.conf. That doesn't appear to work though.
Edit: Putting it directly in strongswan.conf doesn't seem to work either.

[Rebelllious]

I can hit ip addresses of websites, but not by domain name

add

Code:

rightdns = 8.8.8.8

into the appropriate section of /etc/ipsec.conf file. This seems to help you in case it is really a DNS issue. This will assign Google DNS server 8.8.8.8 to any client connected to your VPN.

[revnil]

I added that entry to ipsec.conf with the other "right" stuff and restarted ipsec. No change.

[Rebelllious]

I added that entry to ipsec.conf with the other "right" stuff and restarted ipsec. No change.

Let's give it another try. Delete what you have added into ipsec.conf for now.

Code:

charon {
    dns1 = 8.8.4.4
    dns2 = 8.8.8.8
}

Above is what it looks like in my script

Code:

# the following assigns two DNS servers to peers
charon {
    plugins {
        attr {
            dns = 8.8.8.8, 8.8.4.4
        }
    }
}

And this is what you can try to add into strongswan.conf file. Tell us if you get it working.

P.S. Example taken from https://wiki.strongswan.org/projects...iki/Attrplugin

[revnil]

I did those steps and I'm in the same place. I even opened outbound/inbound port 53 on AWS but that didn't help.

[Rebelllious]

PM sent.

[revnil]

Just in case anyone else runs into this problem here's how to fix it.

In the charon.conf dns configuration point the dns at your ec2 dns resolver instead of google's 8.8.8.8 or 8.8.4.4. I'm sure there's probably another way to do it but this worked for me. Thanks to Rebelllious and the good folks on strongswan's irc channel on freenode.

[musherpuff]

Sorry i'm a bit dumb...maybe I've made a few mistakes that's why it isn't working...
just wanna be sure:
1. Do you just make up the gateway preshared key?
2. What exactly is the Server Address on the blackberry set-up?

Thankss

[Rebelllious]

Sorry i'm a bit dumb...maybe I've made a few mistakes that's why it isn't working...
just wanna be sure:
1. Do you just make up the gateway preshared key?
2. What exactly is the Server Address on the blackberry set-up?

1. What do you mean by make up? If you mean "create", then my answer is "yes", you just put the PSK whichever you prefer.
2. It is either your server's IP address or FQDN with no "http://" needed (if available).

[musherpuff]

I have followed every step..but still getting "authentication error"

actually not autentication error it's now "connection error timeout"

[Rebelllious]

We are no prophets here, sorry
Did you use my automated script for getting things running?
Can you post your config files with no privacy sensitive information like IP address and alike? /etc/ipsec.conf + /etc/strongswan.conf + /etc/ipsec.secrets
Did you setup the BlackBerry part of the thing correctly? Any screenshots to post?

[Ferohers]

I am having really hard time setting up strongswan on my vps (openvz based). I followed all possible scenerios. My problem is simple my phone cannot connect to the server. It gives me connection timeout problem. However, when I check -strongswan status, I see a connection established there. What would be the issue?

My strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
threads = 16
dns1 = 8.8.4.4
dns2 = 8.8.8.8
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

ipsec.conf

config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes
leftfirewall=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=84.200.34.107
right=%any
rightsourceip=10.3.0.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

[BCITMike]

I am having really hard time setting up strongswan on my vps (openvz based). I followed all possible scenerios. My problem is simple my phone cannot connect to the server. It gives me connection timeout problem. However, when I check -strongswan status, I see a connection established there. What would be the issue?

My strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
threads = 16
dns1 = 8.8.4.4
dns2 = 8.8.8.8
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

ipsec.conf

config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes
leftfirewall=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=84.200.34.107
right=%any
rightsourceip=10.3.0.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

Did you compile it from source with the flag to allow openvz to work? I had to to get it working. Also, you probably need to request your VPS provider enable TUN adapter, if you can't from your own panel.

--enable-kernel-libipsec

Edit: Also, some routers/firewalls have problems with IPSec, so I'd suggest testing over mobile connection vs your wifi to rule out your router. At least until server is proven to work.

[Ferohers]

All fixed!

[Ferohers]

Fixed IT!

Step by step guide

Never give up! Failed over 24 hours setting up strongswan due to openvz and default repo installations.
Found out that double psk works! http://www.davychiu. com/blog/strongswan-psk-ipsec-ikev2-vpn-on-ubuntu-14-04-with-blackberry.html works!
Any other way gives issues. So I decided to compile it by myself

1- Switched to 3G (company router might cause a problem)

2- Removed the package with yum (installed strongswan from centos repo)

3- Downloaded fresh from strongswan

4- Compiled for Openvz
./configure --enable-eap-identity --enable-eap-md5 \--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

5- Had it all working

[Joseph Zhan]

does this works for chinese user?

[francesco3]

Hello to everybody! I really want to thank you: this method works perfectly with my BB.

Now, do you think is possible to use this connection also on a Windows or a Mac system?

There is some particular configuration? I'm having big trouble with the identification / credentials. They both need "a certificate", but I just have the private key in .pem. Can you please help me?

Thank you in advance!

[Rebelllious]

Hello to everybody! I really want to thank you: this method works perfectly with my BB.
Now, do you think is possible to use this connection also on a Windows or a Mac system?
There is some particular configuration? I'm having big trouble with the identification / credentials. They both need "a certificate", but I just have the private key in .pem. Can you please help me?
Thank you in advance!

http://forums.crackberry.com/blackbe...l#post11111020 is a good place to see for the configuration for Mac. I use it all the way (in VPN settings, choose Cisco, if I am not mistaken). As for Windows, I have never tried it with StrongSwan, as I own a Mac and don't have to bother with Windows VPN setup.

[olakunal]

Hello Guyzer & Rebelllious, Thanks for sharing this VPN idea. I'm unable to have a working VPN after following the steps and I need your help.


*First, I used the script with CentOS 6.4 (as shown on 1st post) and I got the response 'Disconnecting, Error TimeOut' when authenticating with Username, Password and PSK. Finally, I deleted the instance.*


*I later tried Ubuntu Server14.04 and installed Strongswan from ubuntu repo. I used *certificates and got the error 'Disconnecting, Error TimeOut'. I also used EAP( username, password and preshared) key all to no avail.‎ It kept telling me 'Disconnecting, Error TimeOut'.‎ Finally, I deleted the instance.*

*I switched to CentOS 7 and installed Strongswan from repo and followed another tutorial https://www.vultr.com/docs/using-str...pn-on-centos-7. I tried authenticating with a personal cert (. P12) and server certificate (.pem) both installed on the phone which didn't work. I got the response 'Connection Error, Authentication Error' and another time I got 'Invalid Certificate'.

The only progress made is the error message which has changed. I am hopeful it can still work.‎ Please I need your help with setting up a working VPN.*

I am out of options.

I can give you my AWS details.

Finally, I have a working VPN after following the post again and setting up a new instance.

Did I miss anything earlier?
Attachment 397279


Posted with Q10 via CB10

[Rebelllious]

So, is everything working now for you?
If you followed the scripted procedure, there might not be any issues except for closed inbound/outbound ports at AWS firewall. Yet, if you tried doing all steps manually, I cannot tell you your problem...

Posted via CB10

[olakunal]

Everything works very fine.

I noticed that the script did not complete the first time I ran it probably due to my internet time out. It suddenly stopped at some point and some files were missing eg ipsec.conf
Running vim /etc/ipsec.conf after created a new blank file instead of opening an existing file for editing. My 2nd and third attempts were inconclusive.

I only figured this out after deleting the old instance and following the script method in my 4th attempt. This time the process was more detailed and the VPN connected. When I ran vim /etc/ipsec.conf it opened an existing file for editing.


Posted with Q10 via CB10

[UnderBerry]

Thanks for the guide and script, very nice and supportive of you