12-14-17 03:16 PM
246 ... 78910
tools
  1. Palda's Avatar
    Last month I have configured strongswan on Ubuntu server using this script (manually entering the commands from the script) and it works flawlessly. I use ufw as firewall on the server and if I remember I had to allow the necessary ports for the ipsec traffic - 500 I believe?

    Posted via CB10
    12-22-15 06:23 AM
  2. Rebelllious's Avatar
    I use ufw as firewall on the server and if I remember I had to allow the necessary ports for the ipsec traffic - 500 I believe?
    UDP 500 and UDP 4500.
    12-22-15 07:12 AM
  3. Rebelllious's Avatar
    Has anyone done this with strongswan 5.3.5? There have been a lot of updates and I'd like to use the latest software. I tried following the script but I'm missing something. I'm able to connect to the server, but I can't get out. I believe I have done everything correctly but I have a feeling somehow iptables is causing the trouble.

    Actually, it looks like a DNS issue. I can access websites via IP but not by name. The configuration for strongswan changed a bit it looks like and recommends putting the dns entries in another file, which I did, but no luck.
    In my script, iptables is configured to allow all possible access outside. For me, your case looks like disabled packet forwarding in /etc/sysctl.conf - in that case you always get connected to the server, but you never get further than that, i.e. no Internet connectivity
    Code:
    net.ipv4.ip_forward = 0
    should become
    Code:
    net.ipv4.ip_forward = 1
    12-22-15 07:15 AM
  4. revnil's Avatar
    Hey thanks for the reply!

    net.ipv4.ip_forward = 1 is set in that file.
    I played around with it a bit more last night. I can hit ip addresses of websites, but not by domain name. In the latest strongswan it looks like they have divided out the config files. the strongswan.conf includes /etc/strongswan.d/*.conf and strongswan.d/charon/*.conf files. So I put the DNS entries in charon.conf. That doesn't appear to work though.
    Edit: Putting it directly in strongswan.conf doesn't seem to work either.
    12-22-15 01:36 PM
  5. Rebelllious's Avatar
    I can hit ip addresses of websites, but not by domain name
    add
    Code:
    rightdns = 8.8.8.8
    into the appropriate section of /etc/ipsec.conf file. This seems to help you in case it is really a DNS issue. This will assign Google DNS server 8.8.8.8 to any client connected to your VPN.
    12-22-15 02:06 PM
  6. revnil's Avatar
    I added that entry to ipsec.conf with the other "right" stuff and restarted ipsec. No change.
    12-22-15 03:23 PM
  7. Rebelllious's Avatar
    I added that entry to ipsec.conf with the other "right" stuff and restarted ipsec. No change.
    Let's give it another try. Delete what you have added into ipsec.conf for now.
    Code:
    charon {
        dns1 = 8.8.4.4
        dns2 = 8.8.8.8
    }
    Above is what it looks like in my script
    Code:
    # the following assigns two DNS servers to peers
    charon {
        plugins {
            attr {
                dns = 8.8.8.8, 8.8.4.4
            }
        }
    }
    And this is what you can try to add into strongswan.conf file. Tell us if you get it working.

    P.S. Example taken from https://wiki.strongswan.org/projects...iki/Attrplugin
    Last edited by Rebelllious; 12-22-15 at 03:34 PM. Reason: Link added.
    12-22-15 03:33 PM
  8. revnil's Avatar
    I did those steps and I'm in the same place. I even opened outbound/inbound port 53 on AWS but that didn't help.
    12-22-15 06:04 PM
  9. Rebelllious's Avatar
    PM sent.
    12-23-15 06:58 AM
  10. revnil's Avatar
    Just in case anyone else runs into this problem here's how to fix it.

    In the charon.conf dns configuration point the dns at your ec2 dns resolver instead of google's 8.8.8.8 or 8.8.4.4. I'm sure there's probably another way to do it but this worked for me. Thanks to Rebelllious and the good folks on strongswan's irc channel on freenode.
    12-25-15 05:35 PM
  11. musherpuff's Avatar
    Sorry i'm a bit dumb...maybe I've made a few mistakes that's why it isn't working...
    just wanna be sure:
    1. Do you just make up the gateway preshared key?
    2. What exactly is the Server Address on the blackberry set-up?

    Thankss
    02-05-16 06:32 AM
  12. Rebelllious's Avatar
    Sorry i'm a bit dumb...maybe I've made a few mistakes that's why it isn't working...
    just wanna be sure:
    1. Do you just make up the gateway preshared key?
    2. What exactly is the Server Address on the blackberry set-up?
    1. What do you mean by make up? If you mean "create", then my answer is "yes", you just put the PSK whichever you prefer.
    2. It is either your server's IP address or FQDN with no "http://" needed (if available).
    02-05-16 08:31 AM
  13. musherpuff's Avatar
    I have followed every step..but still getting "authentication error"

    actually not autentication error it's now "connection error timeout"
    Last edited by musherpuff; 02-05-16 at 09:06 AM.
    02-05-16 08:56 AM
  14. Rebelllious's Avatar
    We are no prophets here, sorry
    Did you use my automated script for getting things running?
    Can you post your config files with no privacy sensitive information like IP address and alike? /etc/ipsec.conf + /etc/strongswan.conf + /etc/ipsec.secrets
    Did you setup the BlackBerry part of the thing correctly? Any screenshots to post?
    02-05-16 09:16 AM
  15. Ferohers's Avatar
    I am having really hard time setting up strongswan on my vps (openvz based). I followed all possible scenerios. My problem is simple my phone cannot connect to the server. It gives me connection timeout problem. However, when I check -strongswan status, I see a connection established there. What would be the issue?
    FREE VPN: Strongswan Ipsec/IKEv2 Z10/Z30/Q10-2222.png
    My strongswan.conf

    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files

    charon {
    threads = 16
    dns1 = 8.8.4.4
    dns2 = 8.8.8.8
    load_modular = yes
    plugins {
    include strongswan.d/charon/*.conf
    }
    }

    include strongswan.d/*.conf

    ipsec.conf

    config setup
    strictcrlpolicy=no

    conn %default
    ikelifetime=24h
    keylife=24h
    keyexchange=ikev2
    dpdaction=clear
    dpdtimeout=3600s
    dpddelay=3600s
    compress=yes
    leftfirewall=yes

    conn rem
    rekey=no
    leftsubnet=0.0.0.0/0
    leftauth=psk
    leftid=84.200.34.107
    right=%any
    rightsourceip=10.3.0.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    FREE VPN: Strongswan Ipsec/IKEv2 Z10/Z30/Q10-untitled.png
    02-22-16 04:28 PM
  16. BCITMike's Avatar
    I am having really hard time setting up strongswan on my vps (openvz based). I followed all possible scenerios. My problem is simple my phone cannot connect to the server. It gives me connection timeout problem. However, when I check -strongswan status, I see a connection established there. What would be the issue?
    Click image for larger version. 

Name:	2222.png 
Views:	823 
Size:	3.8 KB 
ID:	392238
    My strongswan.conf

    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files

    charon {
    threads = 16
    dns1 = 8.8.4.4
    dns2 = 8.8.8.8
    load_modular = yes
    plugins {
    include strongswan.d/charon/*.conf
    }
    }

    include strongswan.d/*.conf

    ipsec.conf

    config setup
    strictcrlpolicy=no

    conn %default
    ikelifetime=24h
    keylife=24h
    keyexchange=ikev2
    dpdaction=clear
    dpdtimeout=3600s
    dpddelay=3600s
    compress=yes
    leftfirewall=yes

    conn rem
    rekey=no
    leftsubnet=0.0.0.0/0
    leftauth=psk
    leftid=84.200.34.107
    right=%any
    rightsourceip=10.3.0.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    Click image for larger version. 

Name:	Untitled.png 
Views:	824 
Size:	31.1 KB 
ID:	392237
    Did you compile it from source with the flag to allow openvz to work? I had to to get it working. Also, you probably need to request your VPS provider enable TUN adapter, if you can't from your own panel.

    --enable-kernel-libipsec

    Edit: Also, some routers/firewalls have problems with IPSec, so I'd suggest testing over mobile connection vs your wifi to rule out your router. At least until server is proven to work.
    02-23-16 02:44 AM
  17. Ferohers's Avatar
    All fixed!
    02-24-16 07:24 AM
  18. Ferohers's Avatar
    Fixed IT!

    Step by step guide

    Never give up! Failed over 24 hours setting up strongswan due to openvz and default repo installations.
    Found out that double psk works! http://www.davychiu. com/blog/strongswan-psk-ipsec-ikev2-vpn-on-ubuntu-14-04-with-blackberry.html works!
    Any other way gives issues. So I decided to compile it by myself

    1- Switched to 3G (company router might cause a problem)

    2- Removed the package with yum (installed strongswan from centos repo)

    3- Downloaded fresh from strongswan

    4- Compiled for Openvz
    ./configure --enable-eap-identity --enable-eap-md5 \--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
    --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

    5- Had it all working
    02-24-16 07:25 AM
  19. Joseph Zhan's Avatar
    does this works for chinese user?
    03-21-16 12:32 AM
  20. francesco3's Avatar
    Hello to everybody! I really want to thank you: this method works perfectly with my BB.

    Now, do you think is possible to use this connection also on a Windows or a Mac system?

    There is some particular configuration? I'm having big trouble with the identification / credentials. They both need "a certificate", but I just have the private key in .pem. Can you please help me?

    Thank you in advance!
    03-29-16 06:23 AM
  21. Rebelllious's Avatar
    Hello to everybody! I really want to thank you: this method works perfectly with my BB.
    Now, do you think is possible to use this connection also on a Windows or a Mac system?
    There is some particular configuration? I'm having big trouble with the identification / credentials. They both need "a certificate", but I just have the private key in .pem. Can you please help me?
    Thank you in advance!
    http://forums.crackberry.com/blackbe...l#post11111020 is a good place to see for the configuration for Mac. I use it all the way (in VPN settings, choose Cisco, if I am not mistaken). As for Windows, I have never tried it with StrongSwan, as I own a Mac and don't have to bother with Windows VPN setup.
    04-11-16 10:01 AM
  22. olakunal's Avatar
    Hello Guyzer & Rebelllious, Thanks for sharing this VPN idea. I'm unable to have a working VPN after following the steps and I need your help.


    *First, I used the script with CentOS 6.4 (as shown on 1st post) and I got the response 'Disconnecting, Error TimeOut' when authenticating with Username, Password and PSK. Finally, I deleted the instance.*
    FREE VPN: Strongswan Ipsec/IKEv2 Z10/Z30/Q10-img_20160414_081405.png

    *I later tried Ubuntu Server14.04 and installed Strongswan from ubuntu repo. I used *certificates and got the error 'Disconnecting, Error TimeOut'. I also used EAP( username, password and preshared) key all to no avail.‎ It kept telling me 'Disconnecting, Error TimeOut'.‎ Finally, I deleted the instance.*

    *I switched to CentOS 7 and installed Strongswan from repo and followed another tutorial https://www.vultr.com/docs/using-str...pn-on-centos-7. I tried authenticating with a personal cert (. P12) and server certificate (.pem) both installed on the phone which didn't work. I got the response 'Connection Error, Authentication Error' and another time I got 'Invalid Certificate'.
    FREE VPN: Strongswan Ipsec/IKEv2 Z10/Z30/Q10-img_20160414_074919.png
    The only progress made is the error message which has changed. I am hopeful it can still work.‎ Please I need your help with setting up a working VPN.*

    I am out of options.

    I can give you my AWS details.

    Finally, I have a working VPN after following the post again and setting up a new instance.

    Did I miss anything earlier?
    Attachment 397279


    Posted with Q10 via CB10
    Last edited by olakunal; 04-15-16 at 10:15 PM.
    04-14-16 03:44 AM
  23. Rebelllious's Avatar
    So, is everything working now for you?
    If you followed the scripted procedure, there might not be any issues except for closed inbound/outbound ports at AWS firewall. Yet, if you tried doing all steps manually, I cannot tell you your problem...

    Posted via CB10
    04-24-16 08:33 AM
  24. olakunal's Avatar
    Everything works very fine.

    I noticed that the script did not complete the first time I ran it probably due to my internet time out. It suddenly stopped at some point and some files were missing eg ipsec.conf
    Running vim /etc/ipsec.conf after created a new blank file instead of opening an existing file for editing. My 2nd and third attempts were inconclusive.

    I only figured this out after deleting the old instance and following the script method in my 4th attempt. This time the process was more detailed and the VPN connected. When I ran vim /etc/ipsec.conf it opened an existing file for editing.


    Posted with Q10 via CB10
    Last edited by olakunal; 04-24-16 at 09:23 AM.
    04-24-16 09:12 AM
  25. UnderBerry's Avatar
    Thanks for the guide and script, very nice and supportive of you
    06-04-16 01:16 PM
246 ... 78910

Similar Threads

  1. Z30 Wi-Fi connection unstable.
    By young guy in forum BlackBerry Z30
    Replies: 10
    Last Post: 10-22-13, 10:18 PM
  2. Line App on BlackBerry Q10
    By gnulab in forum BlackBerry Q10
    Replies: 7
    Last Post: 10-22-13, 06:12 PM
  3. How can you copy paste text on the z10?
    By Lee Eshelman in forum BlackBerry Z10
    Replies: 10
    Last Post: 10-21-13, 01:39 PM
  4. Z30 not permitting Facebook posting
    By rosie_parent in forum General BlackBerry Discussion
    Replies: 7
    Last Post: 10-21-13, 11:21 AM
  5. How can i update my z10 software 10.2
    By chitwan in forum BlackBerry Z10
    Replies: 2
    Last Post: 10-21-13, 08:18 AM
LINK TO POST COPIED TO CLIPBOARD