01-27-15 06:41 PM
28 12
tools
  1. Poirots Progeny's Avatar
    I know there are threads re personal vpn use, and bb10, I have read them but there is nothing current - apologies if I'm rehashing - so here goes -

    I want to use a personal vpn provider - using the openVPN protocol - on my Q10 (I'm willing to use the pptp or l2tp if that is a worst case option). Currently I am using it on my Galaxy S4, which I want to get rid of.

    I understand BlackBerry is corporate and never has had compatibility for commercial pptp, l2tp and open vpn, in bbos 5,6,7 and bb10.0.

    I'm on bb10.1.0.273 on a SQN 100-3 UK unlocked BlackBerry Q10.

    I'm just wondering, has the commercial vpn access settings been added?

    Is anyone using a commercial PERSONAL vpn provider on their Q10?

    Are there any android apps I can sideload?

    Any help or clarification on this situation?


    Posted via CB10 on my BlackBerry Q10

    Posted via CB10 on my BlackBerry Q10
    06-22-13 07:24 PM
  2. Poirots Progeny's Avatar
    I had posted this request for help in the Q10 general forum - sorry if I got that wrong!

    Any help or clarification would be appreciated! :-)

    Posted via CB10 on my BlackBerry Q10
    06-22-13 07:26 PM
  3. Richard Buckley's Avatar
    At the moment the only VPN that BB10 devices can use is IPSec based technology. I use Witopia and I'm happy with their service. Others have been succesful with other providers. BlackBerry is considering OpenVPN, but I don't expect it any time soon.
    06-22-13 08:47 PM
  4. Poirots Progeny's Avatar
    I see. Thank you for the response.

    Is there any indication why? Considering ios and android support commercial personal vpns - no rooting or jailbreaking - why has BlackBerry continued this stance? BlackBerry is all about security!?






    Posted via CB10 on my BlackBerry Q10
    06-23-13 01:53 AM
  5. Poirots Progeny's Avatar
    Sorry, more searching on the computer, not CB10, has shown me your other thread - where you request people tell BlackBerry (on thr Dev side) to implement open vpn.

    I am rather surprised it's not included with bb10. The platform is all about security, corporate and private.

    I'll check witopia out. There's also supervpn. Supervpn has a specific BlackBerry package just for BlackBerry 10... more expensive than normal packages of the type.

    That's frustrating. I paid outright for the Z and Q10. Over the odds for the hardware, if I'm honest. The GS4 and iphone 5 (work) that I have support something BlackBerry doesnt... why does this keep happening? BlackBerry please!

    Posted via CB10 on my BlackBerry Q10
    06-23-13 04:44 AM
  6. Richard Buckley's Avatar
    I see. Thank you for the response.

    Is there any indication why? Considering ios and android support commercial personal vpns - no rooting or jailbreaking - why has BlackBerry continued this stance? BlackBerry is all about security!?

    Posted via CB10 on my BlackBerry Q10
    Probably a combination of "serious business people don't use OpenVPN" and "can we implement OpenVPN securely?".

    I had a meeting with BlackBerry during DevCon in ST when they announced BB10. I asked for OpenVPN then, commented on an existing feature request, etc. But I haven't seen any response.

    Posted via CB10
    06-23-13 07:57 AM
  7. CharlieHipHop's Avatar
    At the moment the only VPN that BB10 devices can use is IPSec based technology. I use Witopia and I'm happy with their service. Others have been succesful with other providers. BlackBerry is considering OpenVPN, but I don't expect it any time soon.
    I don't believe that we are limited to IPSec. There are many different gateway types available in the VPN settings. Anyway, I have a few VPNs set up, at least one that is SSL like OpenVPN.

    Open VPN on BlackBerry Q10-img_00000235.png
    Open VPN on BlackBerry Q10-img_00000234.png

    Posted via CB10
    06-23-13 08:14 AM
  8. Poirots Progeny's Avatar
    That's a shame. What is a personal and private consumer to do? Even apple - masters of the walled garden - have the facility for this. I'm surprised, when all of the competitors of BlackBerry offer the facility; you would think BlackBerry would want to follow suite..?

    I can't believe BlackBerry is still behaving like this. Not every BlackBerry user is using BlackBerry for corporate use. Ironically, we're issued Gs4's. I don't know. Very disappointing. Shocking, really :-(

    Posted via CB10 on my BlackBerry Q10
    06-23-13 09:59 AM
  9. Ndub60's Avatar
    At the moment the only VPN that BB10 devices can use is IPSec based technology. I use Witopia and I'm happy with their service. Others have been succesful with other providers. BlackBerry is considering OpenVPN, but I don't expect it any time soon.
    I'm also using Witopia but I'm having an issue connecting to the server. All of my settings are correct and when I hit connect it starts connecting and then starts disconnecting.

    Any ideas?
    06-27-13 01:10 PM
  10. sonic_reducer's Avatar
    I don't believe that we are limited to IPSec. There are many different gateway types available in the VPN settings. Anyway, I have a few VPNs set up, at least one that is SSL like OpenVPN.

    Posted via CB10
    I have spent hours on the phone in international conference calls with SecurePoint tech support and my own network engineer trying to get the IKEv2 generic working (using certificates) . In the end, after breaking the Z10 protocol down in real time, it was clearly apparent that the Z10 was talking gibberish.

    Given that PTPP and L2TP are totally unfit for purpose anyway, the logical way to go is OpenVPN. It's a robust standard and transparent too, unlike shady implementations of some famous standards.

    I am not holding my breath on BlackBerry releasing such support anytime soon because demand for such requirements is probably quite small, therefore not a priority.

    Posted via CB10
    06-27-13 01:29 PM
  11. Poirots Progeny's Avatar
    We'll demand for BlackBerry is small too - so perhaps BlackBerry should make it a priority!

    You are so right about the "shady implementation" of other, lesser protocols.

    It's idiotic that BlackBerry would not take a commercial stance with openvpn when there are such benefits, if not for BlackBerry and bes, but the consumer's protection and the consumers perception of BlackBerry as a company that cares.

    Posted via CB10 on my BlackBerry Q10
    sonic_reducer likes this.
    06-29-13 08:27 AM
  12. Poirots Progeny's Avatar
    And when you mention demand being small - well ios and android support openvpn - no root or jailbreak required, if you're rocking ics and jellybean, and ios6+ respectively.

    But then there are more of those devices in the wild.

    Posted via CB10 on my BlackBerry Q10
    sonic_reducer likes this.
    06-29-13 08:29 AM
  13. tickerguy's Avatar
    I have spent hours on the phone in international conference calls with SecurePoint tech support and my own network engineer trying to get the IKEv2 generic working (using certificates) . In the end, after breaking the Z10 protocol down in real time, it was clearly apparent that the Z10 was talking gibberish.

    That's a Generic IPSEC/IKEv2 connection made to my FreeBSD server with the connection validated via a machine certificate (and private CA, incidentally.)

    Here is the server end's status, just to prove that I'm not photoshopping the above:

    [karl@NewFS ~]$ ipsec status
    Security Associations (1 up, 0 connecting):
    BB10[221]: ESTABLISHED 4 seconds ago, 70.169.168.7[C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net, E=karl@denninger.net]...208.54.70.254[karl@denninger.net]
    BB10{164}: INSTALLED, TUNNEL, ESP in UDP SPIs: c50490b8_i 08b04138_o
    BB10{164}: 0.0.0.0/0 === 192.168.2.2/32

    If your IPSEC provider is claiming that the BB10 device is talking "gibberish" when it comes to a generic IPSEC/IKEv2 gateway they simply don't know what they're talking about and you need to speak with someone who does.

    There are very real and tangible reasons to use IPSEC/IKEv2, with the most-notable being that it's VERY fast, it's VERY secure, and -- very important for mobile devices -- MOBIKE (which the Z10 supports) automatically re-keys the connection if the end point's IP address changes. That happens all the time when you're on a mobile device using a cellular link.

    One of the big advantages of the BB10 "built in" VPN capability is that if you use "open" WiFi connections you can set their connection profiles to automatically bring up your VPN link whenever you connect to those HotSpots with no user intervention required. This is of huge benefit to those who use open WiFi on a regular basis as it prevents you from accidentally exposing to anyone with a handy WiFi card in promiscuous mode what you're doing online. You can also set the phone up to automatically connect back via VPN for all connections if you wish.

    My only complaint with the way BlackBerry did this is that I'd really like it if they implemented an "exclude" checkbox, allowing me to default the phone to have VPN enabled EXCEPT when on certain connections (e.g. my office WiFi which I know is already ok because it's mine.)

    I don't understand the drama llama thing here in this regard, and no, the BB10 "Generic" IPSEC/IKEv2 gateway option is NOT broken.
    Attached Thumbnails Open VPN on BlackBerry Q10-img_00000296.jpg  
    Last edited by BergerKing; 06-29-13 at 03:47 PM.
    aryan77 likes this.
    06-29-13 11:19 AM
  14. sonic_reducer's Avatar
    Do you even know what SecurePoint is? It's a hardware VPN, not software sat on a server. I'm not running connections to a service here, it's a professional virtual LAN over the WAN.

    The SecurePoint engineer was watching the communication attempts using the control panel from Germany, whilst my network engineer was running the VPN device in Yorkshire (where we build our own hardware and networks) and I was in the head office in London. We were in a conference call together for hours trying out lots of combos to get the Z10 talking via generic v2. Needless to say out of despair we even tried the MS v2 too.

    My desktop XP SP3 connects instantly to the same device using the same client connection protocol.

    If you insult me again by accusing me of lying I will leave these forums.

    The amount of abuse and accusations that go on in these forums is bordering on mental illness.

    Posted via CB10
    Last edited by BergerKing; 06-29-13 at 03:48 PM. Reason: Clean up.
    06-29-13 02:00 PM
  15. sonic_reducer's Avatar
    BEE ESS.
    .
    Over and over again on these forums; "I don't have that problem - you must be a liar".

    What a disgraceful sets of attitudes.

    Posted via CB10
    06-29-13 02:06 PM
  16. tickerguy's Avatar
    Are you calling me a liar?

    Do you even know what SecurePoint is? It's a hardware VPN, not software sat on a server. I'm not running connections to a service here, it's a professional virtual LAN over the WAN.
    Yes, I know what SecurePoint is.

    I'm not calling you a liar I'm calling their so-called "engineers" full of something dark and smelly.

    If the BB10 generic client was emitting "gibberish" then it couldn't connect to ANY IPSEC/IKEv2 server. But it clearly can because it does, and the server code I use happens to be open source so IF something goes wrong in the negotiation and the errors it tosses into the logfiles are insufficient for me to figure it out I can go root around in the code and figure out what's going on.

    I called "BEE ESS" on the allegation that BB10's "generic" IPSEC/IKEv2 client is broken ("emitting gibberish"); it very clearly is not.

    The logging on the client (phone) end is horribly bad (basically non-existent) which doesn't help one bit when things go wrong but the client most-certainly does work. One common problem when using machine certificates is making sure that the extended attributes are correct and that the CA validation path is complete. If authentication on the phone end fails in that regard the connection will get silently dropped and the reason for the failure is not at all obvious from what's dropped in the server's logs.

    I have been running the BB10 VPN from literally a day or so after I got the device and love the implementation. There is no material reason for BlackBerry, IMHO, to put OpenVPN into the system given that IPSEC/IKEv2 does everything that OpenVPN does and more, particularly given the MOBIKE support. Being able to nail a VPN connection for hours while on the road and have it seamlessly renegotiate as your IP address moves makes for a completely seamless and very secure experience.

    And by the way the Microsoft EAP-MSCHAPv2 configuration option works too if you have a server that speaks it. I've tested against that as well. My server handles BB10 devices and Windows 7 clients, both on IPSEC/IKEv2.

    Both work just fine and both get EXTENSIVE use around here. I don't have any IOS or Android devices running against my server at present but might at some point in the future. We're not an Apple sort of shop.

    Your willingness to jump to the conclusion that the PHONE is at fault is outrageous. If there are others with IPSEC/IKEv2 operating against open source verified implementations that work then obviously the phone's software is NOT the problem. That you have a vendor who wants to point fingers rather than find their own issues isn't shocking either; I have run into this repeatedly in my professional experience, indeed, it's the rule rather than the exception. Don't even get me started on this as I have stories of multiple hardware manufacturers pulling the same line of garbage when they either can't figure out what they did wrong or are either unable or unwilling to fix it.

    There is one problem with BB10's implementation that I am aware of and have no fix for as it IS in the phone's code -- they do not support split routing. I think I understand why but the fact remains that the lack of this support can be a problem under certain circumstances.
    06-29-13 02:20 PM
  17. sonic_reducer's Avatar
    Yes, I know what SecurePoint is.

    I'm not calling you a liar I'm calling their so-called "engineers" full of something dark and smelly.

    If the BB10 generic client was emitting "gibberish" then it couldn't connect to ANY IPSEC/IKEv2 server.
    Don't talk rubbish. What model Z10 you got? What connection type are you using; GSM, wi-fi or cable? Until you have tested every single one of those combos don't try and say that generic v2 works perfectly because it doesn't.
    I called "BEE ESS" on the allegation that BB10's "generic" IPSEC/IKEv2 client is broken ("emitting gibberish"); it very clearly is not.
    Maybe it isn't under your configuration, but guess what? There's more than your configuration in the world Mr Perfect.

    The logging on the client (phone) end is horribly bad (basically non-existent) which doesn't help one bit when things go wrong but the client most-certainly does work.
    That's why we watched the communications protocol using industrial strength kit.

    I have been running the BB10 VPN from literally a day or so after I got the device and love the implementation.
    Whoopie for you.

    Your willingness to jump to the conclusion that the PHONE is at fault is outrageous.
    It is at fault. I explained we watched the communication protocol and compared it to the protocol from my desktop over the same wi-fi connection. The handshake from the Z10 was wrong. Period. Get over it.

    Also get some manners and stop accusing people.
    06-29-13 02:40 PM
  18. tickerguy's Avatar
    STL-100-3, about a dozen different firmware loads from 10.0.9 to 10.0.10.85 to 10.1.{virtually all of the leaks and official releases}, nearly a dozen different radio files, operating over GSM/GPRS, GSM/EDGE, HSPA, HSPA+ and LTE along with WiFi in over a dozen locations across the United States. I also have other people on STL100-4s using the same config and after publishing my guidebook on getting it set up as a Ticker a number of others have done so and it has worked perfectly for them as well across different firmware revisions and model numbers.

    In fact I just got back from a 2,200 mile road warrior trip where I had same nailed up against said gateway for virtually the entire trip.

    Yes it does work perfectly across all of the above in each instance. I have had exactly zero trouble with Generic IPSEC/IKEv2 once I sorted out the certificate requirements, which as I noted are a bit tricky to get right.

    They're a bit tricky to get right for Windows 7 too, incidentally, and Win7 wants a couple of things turned off (specifically it has a fit if the server tries to initiate key renegotiation) that the BB10 devices handle just fine.

    The phone implementation is not broken -- it just plain works against both Microsoft's EAP-MSCHAPv2 and Generic IKEv2.

    In addition to the above I have verified that it works in the above combinations and firmware revisions using both machine certificates for both ends, a machine certificate for the server and a PSK for the client, and PSK for client and server val.

    All work.

    IMHO either your gateway is broken or your configuration is incorrect.

    Since I'm in a good mood I'll give you a hint on where you might look. If I recall correctly the phone rejects attempts to negotiate payload compression. If you're seeing "gibberish" its entirely possible your server is trying to request that and ignoring the phone's rejection of the option. That, incidentally, would be broken server code; I know the phone rejects the option because I remember attempting to enable it on my server and the reject message coming back in the negotiation from the other end.

    My background, incidentally, is in network engineering dating back to the 1980s -- before there was a commercial Internet.

    This sort of thing -- network and security design along with coding for same -- is what I do for a living and have been for 30 years.
    06-29-13 03:53 PM
  19. Richard Buckley's Avatar
    I'm also using Witopia but I'm having an issue connecting to the server. All of my settings are correct and when I hit connect it starts connecting and then starts disconnecting.

    Any ideas?
    Have you contacted support? I made a mistake setting up my account initially, support spotted it right away.

    Posted via CB10
    06-29-13 03:59 PM
  20. tickerguy's Avatar
    BTW this might help -- a trace on the daemon for a connection coming over the cell interface, as it will tell you what options the phone is asking for and what the server successfully negotiates.

    You're welcome.

    Jun 29 16:01:34 NewFS charon: 11[NET] received packet: from 208.54.70.152[52335] to 70.169.168.7[500] (400 bytes)
    Jun 29 16:01:34 NewFS charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
    Jun 29 16:01:34 NewFS charon: 11[IKE] 208.54.70.152 is initiating an IKE_SA
    Jun 29 16:01:34 NewFS charon: 11[IKE] remote host is behind NAT
    Jun 29 16:01:34 NewFS charon: 11[IKE] sending cert request for "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA, E=customer-service@cudasystems.net"
    Jun 29 16:01:34 NewFS charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jun 29 16:01:34 NewFS charon: 11[NET] sending packet: from 70.169.168.7[500] to 208.54.70.152[52335] (337 bytes)
    Jun 29 16:01:34 NewFS charon: 13[NET] received packet: from 208.54.70.152[24135] to 70.169.168.7[4500] (332 bytes)
    Jun 29 16:01:34 NewFS charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH CP(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(MOBIKE_SUP) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Jun 29 16:01:34 NewFS charon: 13[CFG] looking for peer configs matching 70.169.168.7[%any]...208.54.70.152[karl@denninger.net]
    Jun 29 16:01:34 NewFS charon: 13[CFG] selected peer config 'BB10'
    Jun 29 16:01:34 NewFS charon: 13[IKE] authentication of 'karl@denninger.net' with pre-shared key successful
    Jun 29 16:01:34 NewFS charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 29 16:01:34 NewFS charon: 13[IKE] peer supports MOBIKE
    Jun 29 16:01:34 NewFS charon: 13[IKE] authentication of 'C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net, E=karl@denninger.net' (myself) with RSA signature successful
    Jun 29 16:01:34 NewFS charon: 13[IKE] IKE_SA BB10[223] established between 70.169.168.7[C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net, E=karl@denninger.net]...208.54.70.152[karl@denninger.net]
    Jun 29 16:01:34 NewFS charon: 13[IKE] scheduling reauthentication in 10069s
    Jun 29 16:01:34 NewFS charon: 13[IKE] maximum IKE_SA lifetime 10609s
    Jun 29 16:01:34 NewFS charon: 13[IKE] sending end entity cert "C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net, E=karl@denninger.net"
    Jun 29 16:01:34 NewFS charon: 13[IKE] peer requested virtual IP %any
    Jun 29 16:01:34 NewFS charon: 13[CFG] reassigning offline lease to 'karl@denninger.net'
    Jun 29 16:01:34 NewFS charon: 13[IKE] assigning virtual IP 192.168.2.2 to peer 'karl@denninger.net'
    Jun 29 16:01:34 NewFS charon: 13[IKE] CHILD_SA BB10{166} established with SPIs c5a22670_i 63496ff6_o and TS 0.0.0.0/0 === 192.168.2.2/32
    Jun 29 16:01:34 NewFS charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS NBNS DNS NBNS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
    Jun 29 16:01:34 NewFS charon: 13[NET] sending packet: from 70.169.168.7[4500] to 208.54.70.152[24135] (1788 bytes)
    06-29-13 04:03 PM
  21. Omnitech's Avatar
    Looks like the leaked version of 10.2.1 has limited OpenVPN support.

    http://forums.crackberry.com/bb10-le...a100-x-856794/


    Quoting:

    "OpenVPN makes an appearance (No UI)"
    10-03-13 05:08 PM
  22. Mezomish's Avatar
    "OpenVPN makes an appearance (No UI)"
    Well, if there's no UI, what's use of it? We can't edit config files, can we?
    11-26-13 11:19 AM
  23. Omnitech's Avatar
    Well, if there's no UI, what's use of it? We can't edit config files, can we?
    Well technically you can edit config files, though it's not so simple, and without root it may not help for system services..

    BG shell - BlackBerry World
    BG SSH-SCP-SFTP free - BlackBerry World
    11-26-13 11:02 PM
  24. Mezomish's Avatar
    Well technically you can edit config files, though it's not so simple
    There is nothing too hard in manual configuring (I have my own OpenVPN server at home) but you got the point: we can't do that without root permissions. That's why I said we can't edit them and that's why "an appearance" of OpenVPN has no use until it's integrated into network settings.
    11-27-13 09:22 AM
  25. rana emran's Avatar
    how i active vpn my bb q10
    04-27-14 09:27 AM
28 12

Similar Threads

  1. Pixel mistake on BlackBerry Q10
    By RobinNewy in forum General BlackBerry Discussion
    Replies: 8
    Last Post: 05-16-13, 08:08 AM
  2. Checking battery discharge rate on blackberry Q10
    By sarahfing in forum BlackBerry Q10
    Replies: 3
    Last Post: 05-14-13, 02:48 PM
  3. Video chat on blackberry q10?
    By agrumpy1122 in forum General BlackBerry Discussion
    Replies: 0
    Last Post: 02-02-13, 08:37 PM
  4. when do you use TCP/IP & VPN on blackberry?
    By sito in forum BlackBerry Administrators
    Replies: 6
    Last Post: 02-28-09, 01:07 PM
  5. Connector.open() hangs on BlackBerry 8800
    By smhumayun in forum Developers Lounge
    Replies: 2
    Last Post: 02-28-08, 12:12 PM
LINK TO POST COPIED TO CLIPBOARD