1. Christian Klugesherz's Avatar
    Hello All

    After spending days to setup a VPN on my BB10, I need your help to setup a VPN between my Blackberry Z10 and my NAS Synology
    Perhaps with the community we will succeed to figure out, and let it to be a success story

    Overview
    Blackberry Z10
    Version: 10.3.2.2836

    NAS Synology
    DS213j
    DSM 6.0.1-7393

    On NAS VPN Server
    * PPTP (Not tested for now)
    * OpenVPN (Port UDP 1194)
    * L2TP/IPSEC (Port UDP: 1702/500/4500)

    Internet Modem
    Internet access provider : Free (France)
    Modem Internet / Router : Freebox Revolution
    * Ports UDP (1194/1702/500/4500) forwarded to NAS server

    Remark:
    * OpenVPN is working like a charm on my PC Windows and Android Mobile

    Attempt 1

    OpenVPN Client
    OpenVPN Connect APK for Blackberry
    Issue faced
    Not possible to complete OpenVPN import file by reading "openvpn.ovpn" on my BB10
    Browsing to the dir /mnt/
    There is a simple file called 'sdcard' that can't be opened.

    --> I read in different forums that it is not possible to connect on OpenVPN with Blackberry
    Conclusion: OpenVPN not compatible with the Blackberry world

    Attempt 2
    Integrated VPN connection possibility with BB10
    With L2TP/IPSEC
    By following next steps on my BB10

    Create a new VPN profile using the following connection details:
    Profile Name: anything
    Server Address: VPN server's public Internet address (my Synology public DNS address : ....synology.me)
    Gateway Type: Generic IKEv2 VPN Server
    Authentication Type: EAP-MSCHAPv2
    Authentication ID Type: IPv4
    MSCHAPv2 EAP Identity: anything, (I entered "text") I understood this field does not matter
    MSCHAPv2 Username: Synology username account who has the right access to L2TP/IPSEC
    MSCHAPv2 Password: Synology username password account who has the right access to L2TP/IPSEC
    Gateway Auth Type: PSK
    Gateway Auth ID Type: IPv4
    Gateway Preshared Key: password (See Picture)
    Perfect Forward Secrecy: not checked
    Result :: Not Working

    So please share the process in case you succeeded to setup a VPN

    Many thanks

    Regards

    Christian
    VPN and Blackberry-capture.png
    Last edited by Christian Klugesherz; 06-16-16 at 09:49 AM.
    06-16-16 09:14 AM
  2. keliew's Avatar
    BB10 only supports a handful of protocols. OpenVPN isn't one of them.

    Try IKEv2 setup.

    Synology won't work, I tried.

    BlackBerry Passport via CB10
    06-16-16 04:28 PM
  3. Christian Klugesherz's Avatar
    I Understood that to the VPN solution for BB10 supports
    PPTP --> Not supported
    OpenVPN --> Tested myself and not working : Not supported
    L2TP/IPsec --> Tested myself and not working : Not supported
    IKEv2 --> You have tested and might work

    I will test on my side and revert to you
    Remark: Unfortunately Synology don't propose IKEv2
    Solution 1
    * Install IKEv2 on Synology (not tested but certainly possible)
    Solution 2
    * Use your Internet Modem to setup : VPN IK2v2
    * My Modem Internet / Router : "Freebox Revolution" has this possibility
    --> so I will test it and revert to you
    Solution 3
    * to use a specific server in your LAN (Rabpsberry why not) and install to configure a IKEv2
    * Following :
    https://supportforums.blackberry.com...h/td-p/2654793
    06-17-16 03:49 AM
  4. keliew's Avatar
    There's a thread somewhere about using Strongswan for IKEv2.

    I know it works because I use VPN over IKEv2.

    All the best...

    BlackBerry Passport via CB10
    06-17-16 12:34 PM
  5. Christian Klugesherz's Avatar
    All,

    I've now spent days and days to try to setup this IKEv2 VPN
    I followed scrupulously the instruction in
    WARIO's : VPN server for Blackberry 10
    But no success for now
    My Raspberry IP address hosting VPN server is: 192.168.1.29
    The port open on my router are 500 and 4500, and every time I got a "connexion refused - delay" error on my BB10
    Below a view of a Wireshark capture behind my Raspberry.
    There is something wrong and which is blocking ...
    But what
    Any idea would be very helpful ?

    Many thanks in advance

    VPN and Blackberry-capture.png

    Config on BB10
    Profile Name : home (free choice)
    Server Address : public IP or domain
    Gateway Type : Generic IKEv2 VPN Server
    Authentication Type : EAP-MSCHAPv2
    Authentication ID Type : email
    ID Authentication : alice (can be enything)
    MSCHAPv2 EAP Identity : alice (can be enything)
    MSCHAPv2 Username : alice (username in ipsec.secrets)
    MSCHAPv2 Password : FREE_CHOICE2 (alice pasword in ipsec.secrets)
    Gateway Auth Type : PSK
    Gateway Auth ID Type : IPv4
    Gateway Preshared Key : (PSK password in ipsec.secrets)

    *everything else default!

    PFS : NO
    Automatic IP address : YES
    Automatic DNS : YES
    Automatic Algorith : YES
    Last edited by Christian Klugesherz; 06-28-16 at 01:29 AM.
    06-27-16 04:13 PM
  6. Christian Klugesherz's Avatar
    Hello All,

    Finally I've got it !
    To get Strongswan to work with my Blackberry Z10
    BB OS is 10.3.2.2836

    Afrer several attemps, weeks... struggling to get Strongswan to work ..
    There are a lots of information.
    Please to follow it scrupulously.

    Regards
    Christian

    PS: My thank you also to the different contributors (see REF)

    =========
    SUMMARY
    =========
    * OVERVIEW
    * TOPOLOGY
    * RASPIAN
    * INSTALL STRONGSWAN
    * CA
    * CONFIGURATIONS
    * CONFIGURATION ON BB10
    * CONFIGURATION ON YOUR NAT-ROUTER
    * TOOLS
    * DEBUG
    * REF

    ===============================OVERVIEW=========== ==============================
    VPN solution for BB10 supports

    PPTP --> Not supported
    OpenVPN --> Not supported
    L2TP/IPsec --> Not supported
    IKEv2 --> Supported

    Solution retained
    ============
    VPN client on Blackberry 10
    VPN IKEv2 with preshared Key
    VPN server running on Raspberry PI: raspian-jessie:

    ===================================TOPOLOGY======= ==============================
    Code:
    Goal:
        My BB10 (from the Internet) to have access to my Home Network
    
                                     
                                   +-------------+
                                   |             |
         +---------------+ Private | NAT Gateway | Public +----------+
         |        192.168.1.254/24 |             | 78.220.20.100     |
         |                         +-------------+ xxx.freeboxos.fr  |
         +                                                           |
      XXXXXXXXXXXXXXXX                                               |
    XX               XX                                              |
    X  (Home Network) XX                                             +
    XX 192.168.1.0/24 XX                                      XXXXXXXXXXXXXXX
     XXX            XXX                                    XXXXXXX          XXXX
       XXXXXXXXXXXXXX                                    XXX                   XX
             +                                           X                      XX
             |                                          XX        INTERNET       X
             |                                          XXX                      X
             +---+                                        XX                    XX
                 |                                         XXXXX              XXX
                 +                                             XXXXXXX+XXXXXXXX
           192.168.1.29                                               |
            +--------+                                               +++
            | VPN Pi |                                               | | Roadwarrior
            +-+------+                                               | | Mobile BB10
              ^                                                      | | 80.xx.xx.xx
              |                                                      +++
              |                                                       ^
              |     +----------------------------------------+        |
              +---> | VPN Network Tunnel Address 10.0.0.0/16 | <------+
                    +----------------------------------------+
    Mobile BB10:
    Blackberry Z10 Client in the Internet, that establishes a tunneled
    connection to the VPN gateway (Pi) in the home network
    by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
    NAT Gateway:
    This device, serving as a NAT-router of the home network,
    performs forwarding the VPN requests of my BB10
    to the VPN gateway (Pi). The gateway is accessible by the
    FQDN: "xxx.freeboxos.fr" from the internet.
    Local IP address of the gateway is 192.168.1.254
    VPN (Pi):
    Acts as the other endpoint for the VPN connection to my
    Home Network 192.168.1.0/24.
    Uses the StrongSwan VPN library .

    Port Forwarded on NAT Gateway
    UDP 500,4500 -- Forwarded --> 192.168.1.29

    ==================================RASPIAN========= ==============================

    We use Raspbian OS : "raspian-jessie-lite"
    Raspbian is the official supported operating system for Rapsberry

    To install Raspberry Pi operating system image on an SD card please to follow
    * Download : x.x.x-raspbian-jessie-lite.zip
    * Unzip
    * Install the image with: Win32DiskImage

    https://www.raspberrypi.org/document...ages/README.md

    IP Static RAPSBERRY
    =================
    I suggest to use: "Advanced IP Scanner" to find the @IP (choosen by your DHCP)
    ssh your raspberry
    SSH Credential
    pi = login, by default on Raspbian
    raspberry = password, by default on Raspbian

    Static IP Address on Raspbian Jessie
    ============================
    To configure a static IP address on a Raspberry Pi running on the
    latest available Rapsbian, the old method of changing the "/etc/ network/"
    interfaces no longer works.
    Indeed, if you edit that file (including changing eth0 from static to manual),
    your Raspberry Pi will recover 2 IP addresses for the same eth0!

    Solution force the dhcpcd daemon to retrieve the IP address you like.
    Add the following to the bottom of the file "dhcpcd.conf"
    substituting the correct IP address !
    (With your ip address of course ..)

    sudo nano /etc/dhcpcd.conf
    Code:
    # Custom static IP address for eth0.  
    interface eth0
    static ip_address=192.168.1.29/24
    static routers=192.168.1.254
    static domain_name_servers=192.168.1.254
    Restart your Pi and you are set!

    ===========================INSTALL STRONGSWAN===================================
    Before any installation update the os
    Code:
    $ sudo apt-get update
    $ sudo apt-get upgrade
    By default, and according to `ipsec listall` MD5 and DES are both missing,
    which are required to implement the EAP-MSCHAPv2 protocol, with the default
    installation through "apt-get install strongswan" !!

    This is a really important fact, because in this scenario we have to enable all
    relevant plugins to provide the EAP MSCHAPv2 authentication method
    Make sure that you build the StrongSwan IKEv2 daemon with those options:

    Also, PAM is needed to compile strongswan
    Code:
    $ sudo apt-get install libpam0g-dev
    Keep in mide that strongSwan does not handle IPsec traffic, the OS kernel does
    The gmp plugin uses libgmp for DH and RSA.
    If you compile with --enable-gmp (the default) you need the development
    headers for libgmp
    We will use openssl plugin, which provides RSA and DH.
    Openssl is installed by default, but the headers are missing.
    Code:
    $ sudo apt-get install libssl-dev
    
    $ wget http://download.strongswan.org/strongswan-5.5.0.tar.gz
    
    $ tar xvf strongswan-5.5.0.tar.gz
    $ cd strongswan-5.5.0
    # https://wiki.strongswan.org/projects...iki/PluginList
    Code:
    $ ./configure --enable-aes --enable-des --enable-sha1 --enable-md5 --enable-eap-md5 --enable-eap-identity --enable-hmac --disable-gmp --enable-openssl --enable-dhcp --enable-eap-mschapv2 --enable-eap-dynamic --enable-kernel-netlink --enable-dnskey --enable-attr --enable-resolve --enable-socket-default --prefix=/usr --sysconfdir=/etc
    
    $ make
    $ sudo make install
    Make sure that nothing went wrong
    Code:
    $ ipsec version
    -------------------------------SOME EXPLANATIONS--------------------------------
    Blackberry OS10 IKE Proposals in syslog file
    raspberrypi charon: 08[CFG] received proposals:
    IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/
    HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768


    AES_CBC_256 |
    AES_CBC_192 | --enable-aes
    AES_CBC_128 |

    3DES_CBC |
    DES_CBC | --enable-des

    HMAC_SHA1_96 | --enable-sha1
    HMAC_MD5_96 | --enable-md5 --enable-eap-md5
    | --enable-eap-identity

    PRF_HMAC_SHA1 | (PseudoRandom Function)
    PRF_HMAC_MD5 | --enable-hmac

    MODP_1024 | Modular Exponential (MODP) Diffie-Hellman groups for IKE
    MODP_768 | --disable-gmp --enable-openssl
    | openssl plugin also provides RSA and DH.
    | It provides a lot of the functionality provided by other
    | plugins that are enabled by default
    | (e.g. aes, hmac, sha1, sha2 etc.).

    Virtual IP address | --enable-dhcp
    BB - mschapv2 | --enable-eap-mschapv2

    Selects an EAP method that is supported/preferred by the client.
    If the original EAP method initiated by the plugin is rejected
    with an EAP-Nak message,
    it will select a different method that is supported/requested by the client.
    | --enable-eap-dynamic

    Default
    --enable-kernel-netlink
    --enable-dnskey
    --enable-attr
    --enable-resolve
    --enable-socket-default


    ==================================CERTIFICAT CA=================================
    NOT USED FOR NOW, WILL BE USED IN A NEXT STEP
    --------------------------------------------------
    For now, keep it simple, so this past can be ignored for now

    Authenticating clients with EAP requires authenticating the server
    with a certificate to be standard-compliant (RFC 7296, section 2.16).
    strongSwan can be configured to combine EAP with PSK authentication.

    So we first have to create a new Certification Authority (CA) certificate,
    and then a certificate for the VPN gateway itself

    BE sure that your are in the /home/pi directory

    CA Certificate
    First, generate a private key, the default generates a 2048 bit RSA keyexchange
    The default generates a 2048 bit RSA key
    $ cd
    $ sudo ipsec pki --gen > caKey.der

    Copy the created the private Key to the directory /etc/ipsec.d/private.
    $ sudo cp caKey.der /etc/ipsec.d/private

    Now we generate a self-signed certificate for the new CA:
    $ sudo ipsec pki --self --lifetime 3650 --in caKey.der --dn "C=FR, O=strongSwan, CN=strongSwan CA" --ca > caCert.der

    The recently generated certificate caCert.der has a validity duration of 10 years
    and uses the RSA key caKey.der
    So make sure that you keep this key secret, otherwise unauthorised persons
    can sign their certificates with your CA.
    Move the caCert.der to the location /etc/ipsec.d/cacerts/

    $ sudo cp caCert.der /etc/ipsec.d/cacerts/

    We now have our own CA ready to create and sign the essential x509 certificate
    for our VPN gateway (Pi).
    Like before, we create a private key for our VPN host certificate at first
    with this command:

    $ sudo ipsec pki --gen > VpnPiHostKey.der

    Also move this key to the directory /etc/ipsec.d/private/.

    $ sudo cp VpnPiHostKey.der /etc/ipsec.d/private/

    With this recently created private key, the private key and the certificate
    of the CA we generate and sign the new x509 certificate for the VPN gateway
    The command extracts the public key and issues a certificate using your CA.

    $ sudo ipsec pki --pub --in VpnPiHostKey.der | ipsec pki --issue --lifetime 3650 --cacert caCert.der --cakey caKey.der --dn "C=FR, O=Home VPN, CN=xxx.freeboxos.fr" --san xxx.freeboxos.fr --flag serverAuth --flag ikeIntermediate > VpnPiHostCert.der

    BE CARE !!
    Make sure that you use the correct FQDN by which the VPN gateway is accessible
    from the internet (in this case: xxx.freeboxos.fr).
    It should be the (dynamic) DNS name that points to the global IP address of
    your NAT-router and which is the server address that is used by the remote
    clients.

    Copy the VPNHostCert.pem to the directory /etc/ipsec.d/certs

    $ sudo cp VPNHostCert.pem /etc/ipsec.d/certs

    We are now ready with creating the needed certificates.

    Delele all .pem files in /pi after copying to your devices
    ipsec.d is not accessible afterwards
    $ rm *.pem


    To delete a Cert or Key, you have explicitely indicate the file
    $ sudo rm /etc/ipsec.d/cacerts/caCert.der


    ===============================CONFIGURATIONS===== ==============================

    Code:
    ----------------------
    file /etc/sysctl.conf:
    ----------------------
    # Add to enf of the file, or SET in File
    
    net.ipv4.ip_forward = 1
    -----------------
    Some explanations
    -----------------
    The IP forwarding allows an operating system (Linux here) to forward packets
    as does a router or more generally to route through other networks.
    Enabling IP forwarding is often used when listening network
    (Man in the middle attack in particular) but also
    more simply when trying to make a Linux machine a router
    between several networks. Like here
    -----------------
    -------------------------
    file /etc/ipsec.secrets:
    -------------------------
    Code:
    # Add to enf of the file
    
    : PSK "123456#"             #(Gateway Preshared Key)
    alice : EAP "alicep1234"    #(MSCHAPv2 Username + Password)
    ----------------------
    file /etc/ipsec.conf:
    Copy full text to file
    ----------------------
    Code:
    # ------------------------------------------------------------------------------
    # /etc/ipsec.conf - strongSwan IPsec configuration file
    # left and right denote the two endpoints of an IKE_SA:
    #  * left means the local peer, i.e. the one on which the config file is stored
    #  * right is the remote peer
    #  --> left=local, right=remote
    # ------------------------------------------------------------------------------
    
    # https://wiki.strongswan.org/projects...igSetupSection
    # https://wiki.strongswan.org/projects...rConfiguration
    # The default log level for all subsystems is 1.
    config setup
        charondebug="ike 1, cfg 1"
    
    # https://wiki.strongswan.org/projects...ki/ConnSection
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        eap_identity=%any
    
    # https://wiki.strongswan.org/projects...ki/ConnSection
    conn BB10
        leftid=78.220.20.100
        #leftid=@xxx.freeboxos.fr
        left=%defaultroute
        leftfirewall=yes
        leftauth=psk
        leftsubnet=192.168.1.0/24
        right=%any
        rightsourceip=10.0.0.0/16
        rightdns=192.168.1.254
        rightauth=eap-mschapv2
        rightsendcert=never
        auto=add
    ---------------------------
    file /etc/strongswan.conf :
    ---------------------------
    (file is empty)

    -----------------
    Some explanations
    -----------------
    Many components of strongSwan have a modular design, features can be added
    or removed using a growing list of plugins:
    https://wiki.strongswan.org/projects...iki/PluginList
    The list of loaded plugins can be seen in the output of "ipsec statusall"
    Based on https://wiki.strongswan.org/projects...iki/PluginLoad
    The recommended way to enable or disable plugins is during compile time.
    --> strongswan.conf is empty
    # https://wiki.strongswan.org/projects...StrongswanConf

    ===================================IPTABLES======= ==============================
    Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN network
    to its physical network adapter:
    http://inai.de/images/nf-packet-flow.png

    Code:
    $ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
    $ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
    To allow LAN nodes with private IP addresses to communicate with external
    public networks, configure the firewall for IP masquerading,
    which masks requests from LAN nodes with the IP address of the
    firewall's external device
    The rule uses the NAT packet matching table (-t nat) and specifies the
    built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's
    external networking device (-o eth0).
    The -j MASQUERADE target is specified to mask the private IP address
    of a node with the external IP address of the firewall/gateway.

    ----------
    Save Rule
    ----------
    iptables persistent, there is a package with the name "iptables-persistent"
    which takes over the automatic.
    To do this, the rules must be saved in the file /etc/iptables/rules.v4

    Code:
    $ sudo apt-get install iptables-persistent
    
    To list out all of the active iptables rules in a table
    $ sudo iptables -L -v
    
    To list out all of the active iptables rules by specification
    $ sudo iptables -S
    ============================CONFIGURATION ON BB10===============================
    -------------------
    Code:
    Profile Name             : home
    Server Address           : 78.220.20.100
    Gateway Type             : Generic IKEv2 VPN Server
    Authentication Type      : EAP-MSCHAPv2
    Authentication ID Type   : IPV4 
    ID Authentication        : alice            (not used can be enything) 
    MSCHAPv2 Username        : alice            (-->username in ipsec.secrets)
    MSCHAPv2 Password        : alicep1234       (-->alice pasword in ipsec.secrets)
    Gateway Auth Type        : PSK
    Gateway Auth ID Type     : IPv4
    Gateway Preshared Key    : 123456#    (-->PSK password in ipsec.secrets)       
    
    *everything else default!
    
    PFS 					: NO
    Automatic IP address 	: YES
    Automatic DNS 			: YES
    Automatic Algorith 		: YES
    ======================CONFIGURATION ON YOUR NAT-ROUTER==========================

    Ports to open on your Router !!
    UDP 500,4500 --> Destination to @VPN_Pi

    =====================================TOOLS======== ==============================
    ssh tool
    MobaXterm free Xserver and tabbed SSH client for Windows

    =====================================DEBUG======== ==============================
    ------
    ipsec
    ------
    Having changed the config files of StrongSwan we need to start or restart
    the daemon with the specific command:
    $ sudo ipsec start
    $ sudo ipsec restart

    To see if the configurations are correctly loaded, you can view the status
    of the StrongSwan service with:

    $ sudo ipsec statusall

    To check if the eap-mschapv2 plugin is loaded,as the DES and MD4 algorithms

    $ sudo ipsec listall

    -----
    Logs
    -----
    The main starting point should be the logs stored in /var/log/syslog
    where StrongSwan also writes the sequences and exchanged information during
    establishing a VPN connection.
    If you read the lines carefully you will get a good hint of what went wrong.

    Prefered solution in order to avoid to lose some starting information, is to
    set in ipsec.conf file
    config setup
    charondebug="ike 1, cfg 2"

    ------------------
    tcpdump
    ------------------
    https://wiki.strongswan.org/projects...ectTrafficDump
    Example

    To ADD iptables: ingress IPsec and IKE Traffic rule
    $ iptables -t filter -I INPUT -p esp -j NFLOG --nflog-group 5
    $ iptables -t filter -I INPUT -p ah -j NFLOG --nflog-group 5
    $ iptables -t filter -I INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5

    To Delete
    $ sudo iptables -D INPUT 3

    tcpdump
    By default, tcpdump captures only the first 68 octets of each packets.
    This can be changed with the snaplen "-s" parameter.
    "-s 0" disables the cutting off.
    By default tcpdump dumps the contents of each packets as text lines
    on the console. The parameter "-w" can be used to let it write binary
    data of the packet to a file instead.
    (Preferred if the data has to be analysed later, e.g. with Wireshark).

    tcpdump -s 0 -n -i nflog:5 -w /tmpd/trace.pcap

    ==================================REF============= ==============================
    Many thanks to "Tobias Brunner" main developper of StrongSwan, for his help
    +
    Information :
    WARIO's : VPN server for Blackberry 10
    How to configure Ubuntu as IKEv2 VPN server for Blackberry OS 10 ? DXSdata
    https://www.raspberrypi.org/forums/v...c.php?t=101673
    https://www.zeitgeist.se/2013/11/22/...-your-own-vpn/
    Howard Guo's blog: Create a VPN server for Blackberry Playbook (or Blackberry 10) using StrongSwan
    Raspberry Pi 2 as VPN gateway in a home network for Windows Phone 8.1 with StrongSwan, IKEv2 and EAP MSCHAPv2 authentication
    https://wiki.strongswan.org/projects.../IKEv2Examples
    openSolaris 2008 - Protecting a VPN With IPsec - System Administration Guide: IP Services
    https://wiki.strongswan.org/projects...rDocumentation
    https://support.purevpn.com/how-to-s...ckberry-10-2-1

    ================================================== ==============================
    Last edited by Christian Klugesherz; 07-21-16 at 02:56 AM.
    07-20-16 10:55 AM
  7. hertomas's Avatar
    Salut Christian, merci pour toutes ces informations.
    I have a question for you, Is it possible to just have a VPN connection between the Freebox and a BB10?
    I do not have the need of RASPBIAN or anything else... just a simple VPN connection.
    Thanks for your help really appreciate it.
    12-14-16 09:46 PM
  8. jefbeard911's Avatar
    IKEv2 is the only VPN protocol that works on BB10.

    You'll need to find a VPN service that offers it. Not many do. I don't think I've ever come across a free one that does so you'll have to pay.

    Torguard works from personal experience btw...

    Sent from my awesome BlackBerry Passport
    Mahyar Naseri likes this.
    12-16-16 10:22 PM
  9. Vladislavt's Avatar
    HIDE.me offers free, one month after one month, account and it's working flawlessly on my Q5 👍
    12-17-16 01:05 AM
  10. Robin_Pearson's Avatar
    Yes. Hide.me offers free vpn. Testing it at the moment. As free service works very well.

    Posted via CB10
    12-17-16 01:48 AM
  11. Rendergroup's Avatar
    I'm trying to connect with my passport from long time ago, but it refuses, it says time out and that's it.

    Tested the same connection in my Mac and works flawless.

    Could you give me some hints how to set up correctly? I've rechecked several times, but nothing.

    Help is very welcome

    Posted via CB10
    12-17-16 03:23 PM
  12. kunz1925shooter's Avatar
    Hello All,

    Finally I've got it !
    To get Strongswan to work with my Blackberry Z10
    BB OS is 10.3.2.2836

    Afrer several attemps, weeks... struggling to get Strongswan to work ..
    There are a lots of information.
    Please to follow it scrupulously.

    Regards
    Christian

    PS: My thank you also to the different contributors (see REF)

    =========
    SUMMARY
    =========
    * OVERVIEW
    * TOPOLOGY
    * RASPIAN
    * INSTALL STRONGSWAN
    * CA
    * CONFIGURATIONS
    * CONFIGURATION ON BB10
    * CONFIGURATION ON YOUR NAT-ROUTER
    * TOOLS
    * DEBUG
    * REF

    ===============================OVERVIEW=========== ==============================
    VPN solution for BB10 supports

    PPTP --> Not supported
    OpenVPN --> Not supported
    L2TP/IPsec --> Not supported
    IKEv2 --> Supported

    Solution retained
    ============
    VPN client on Blackberry 10
    VPN IKEv2 with preshared Key
    VPN server running on Raspberry PI: raspian-jessie:

    ===================================TOPOLOGY======= ==============================
    Code:
    Goal:
        My BB10 (from the Internet) to have access to my Home Network
    
                                     
                                   +-------------+
                                   |             |
         +---------------+ Private | NAT Gateway | Public +----------+
         |        192.168.1.254/24 |             | 78.220.20.100     |
         |                         +-------------+ xxx.freeboxos.fr  |
         +                                                           |
      XXXXXXXXXXXXXXXX                                               |
    XX               XX                                              |
    X  (Home Network) XX                                             +
    XX 192.168.1.0/24 XX                                      XXXXXXXXXXXXXXX
     XXX            XXX                                    XXXXXXX          XXXX
       XXXXXXXXXXXXXX                                    XXX                   XX
             +                                           X                      XX
             |                                          XX        INTERNET       X
             |                                          XXX                      X
             +---+                                        XX                    XX
                 |                                         XXXXX              XXX
                 +                                             XXXXXXX+XXXXXXXX
           192.168.1.29                                               |
            +--------+                                               +++
            | VPN Pi |                                               | | Roadwarrior
            +-+------+                                               | | Mobile BB10
              ^                                                      | | 80.xx.xx.xx
              |                                                      +++
              |                                                       ^
              |     +----------------------------------------+        |
              +---> | VPN Network Tunnel Address 10.0.0.0/16 | <------+
                    +----------------------------------------+
    Mobile BB10:
    Blackberry Z10 Client in the Internet, that establishes a tunneled
    connection to the VPN gateway (Pi) in the home network
    by using the MSCHAPv2 EAP protocol via IKEv2. (Preshared Key)
    NAT Gateway:
    This device, serving as a NAT-router of the home network,
    performs forwarding the VPN requests of my BB10
    to the VPN gateway (Pi). The gateway is accessible by the
    FQDN: "xxx.freeboxos.fr" from the internet.
    Local IP address of the gateway is 192.168.1.254
    VPN (Pi):
    Acts as the other endpoint for the VPN connection to my
    Home Network 192.168.1.0/24.
    Uses the StrongSwan VPN library .

    Port Forwarded on NAT Gateway
    UDP 500,4500 -- Forwarded --> 192.168.1.29

    ==================================RASPIAN========= ==============================

    We use Raspbian OS : "raspian-jessie-lite"
    Raspbian is the official supported operating system for Rapsberry

    To install Raspberry Pi operating system image on an SD card please to follow
    * Download : x.x.x-raspbian-jessie-lite.zip
    * Unzip
    * Install the image with: Win32DiskImage

    https://www.raspberrypi.org/document...ages/README.md

    IP Static RAPSBERRY
    =================
    I suggest to use: "Advanced IP Scanner" to find the @IP (choosen by your DHCP)
    ssh your raspberry
    SSH Credential
    pi = login, by default on Raspbian
    raspberry = password, by default on Raspbian

    Static IP Address on Raspbian Jessie
    ============================
    To configure a static IP address on a Raspberry Pi running on the
    latest available Rapsbian, the old method of changing the "/etc/ network/"
    interfaces no longer works.
    Indeed, if you edit that file (including changing eth0 from static to manual),
    your Raspberry Pi will recover 2 IP addresses for the same eth0!

    Solution force the dhcpcd daemon to retrieve the IP address you like.
    Add the following to the bottom of the file "dhcpcd.conf"
    substituting the correct IP address !
    (With your ip address of course ..)

    sudo nano /etc/dhcpcd.conf
    Code:
    # Custom static IP address for eth0.  
    interface eth0
    static ip_address=192.168.1.29/24
    static routers=192.168.1.254
    static domain_name_servers=192.168.1.254
    Restart your Pi and you are set!

    ===========================INSTALL STRONGSWAN===================================
    Before any installation update the os
    Code:
    $ sudo apt-get update
    $ sudo apt-get upgrade
    By default, and according to `ipsec listall` MD5 and DES are both missing,
    which are required to implement the EAP-MSCHAPv2 protocol, with the default
    installation through "apt-get install strongswan" !!

    This is a really important fact, because in this scenario we have to enable all
    relevant plugins to provide the EAP MSCHAPv2 authentication method
    Make sure that you build the StrongSwan IKEv2 daemon with those options:

    Also, PAM is needed to compile strongswan
    Code:
    $ sudo apt-get install libpam0g-dev
    Keep in mide that strongSwan does not handle IPsec traffic, the OS kernel does
    The gmp plugin uses libgmp for DH and RSA.
    If you compile with --enable-gmp (the default) you need the development
    headers for libgmp
    We will use openssl plugin, which provides RSA and DH.
    Openssl is installed by default, but the headers are missing.
    Code:
    $ sudo apt-get install libssl-dev
    
    $ wget http://download.strongswan.org/strongswan-5.5.0.tar.gz
    
    $ tar xvf strongswan-5.5.0.tar.gz
    $ cd strongswan-5.5.0
    # https://wiki.strongswan.org/projects...iki/PluginList
    Code:
    $ ./configure --enable-aes --enable-des --enable-sha1 --enable-md5 --enable-eap-md5 --enable-eap-identity --enable-hmac --disable-gmp --enable-openssl --enable-dhcp --enable-eap-mschapv2 --enable-eap-dynamic --enable-kernel-netlink --enable-dnskey --enable-attr --enable-resolve --enable-socket-default --prefix=/usr --sysconfdir=/etc
    
    $ make
    $ sudo make install
    Make sure that nothing went wrong
    Code:
    $ ipsec version
    -------------------------------SOME EXPLANATIONS--------------------------------
    Blackberry OS10 IKE Proposals in syslog file
    raspberrypi charon: 08[CFG] received proposals:
    IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/
    HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768


    AES_CBC_256 |
    AES_CBC_192 | --enable-aes
    AES_CBC_128 |

    3DES_CBC |
    DES_CBC | --enable-des

    HMAC_SHA1_96 | --enable-sha1
    HMAC_MD5_96 | --enable-md5 --enable-eap-md5
    | --enable-eap-identity

    PRF_HMAC_SHA1 | (PseudoRandom Function)
    PRF_HMAC_MD5 | --enable-hmac

    MODP_1024 | Modular Exponential (MODP) Diffie-Hellman groups for IKE
    MODP_768 | --disable-gmp --enable-openssl
    | openssl plugin also provides RSA and DH.
    | It provides a lot of the functionality provided by other
    | plugins that are enabled by default
    | (e.g. aes, hmac, sha1, sha2 etc.).

    Virtual IP address | --enable-dhcp
    BB - mschapv2 | --enable-eap-mschapv2

    Selects an EAP method that is supported/preferred by the client.
    If the original EAP method initiated by the plugin is rejected
    with an EAP-Nak message,
    it will select a different method that is supported/requested by the client.
    | --enable-eap-dynamic

    Default
    --enable-kernel-netlink
    --enable-dnskey
    --enable-attr
    --enable-resolve
    --enable-socket-default


    ==================================CERTIFICAT CA=================================
    NOT USED FOR NOW, WILL BE USED IN A NEXT STEP
    --------------------------------------------------
    For now, keep it simple, so this past can be ignored for now

    Authenticating clients with EAP requires authenticating the server
    with a certificate to be standard-compliant (RFC 7296, section 2.16).
    strongSwan can be configured to combine EAP with PSK authentication.

    So we first have to create a new Certification Authority (CA) certificate,
    and then a certificate for the VPN gateway itself

    BE sure that your are in the /home/pi directory

    CA Certificate
    First, generate a private key, the default generates a 2048 bit RSA keyexchange
    The default generates a 2048 bit RSA key
    $ cd
    $ sudo ipsec pki --gen > caKey.der

    Copy the created the private Key to the directory /etc/ipsec.d/private.
    $ sudo cp caKey.der /etc/ipsec.d/private

    Now we generate a self-signed certificate for the new CA:
    $ sudo ipsec pki --self --lifetime 3650 --in caKey.der --dn "C=FR, O=strongSwan, CN=strongSwan CA" --ca > caCert.der

    The recently generated certificate caCert.der has a validity duration of 10 years
    and uses the RSA key caKey.der
    So make sure that you keep this key secret, otherwise unauthorised persons
    can sign their certificates with your CA.
    Move the caCert.der to the location /etc/ipsec.d/cacerts/

    $ sudo cp caCert.der /etc/ipsec.d/cacerts/

    We now have our own CA ready to create and sign the essential x509 certificate
    for our VPN gateway (Pi).
    Like before, we create a private key for our VPN host certificate at first
    with this command:

    $ sudo ipsec pki --gen > VpnPiHostKey.der

    Also move this key to the directory /etc/ipsec.d/private/.

    $ sudo cp VpnPiHostKey.der /etc/ipsec.d/private/

    With this recently created private key, the private key and the certificate
    of the CA we generate and sign the new x509 certificate for the VPN gateway
    The command extracts the public key and issues a certificate using your CA.

    $ sudo ipsec pki --pub --in VpnPiHostKey.der | ipsec pki --issue --lifetime 3650 --cacert caCert.der --cakey caKey.der --dn "C=FR, O=Home VPN, CN=xxx.freeboxos.fr" --san xxx.freeboxos.fr --flag serverAuth --flag ikeIntermediate > VpnPiHostCert.der

    BE CARE !!
    Make sure that you use the correct FQDN by which the VPN gateway is accessible
    from the internet (in this case: xxx.freeboxos.fr).
    It should be the (dynamic) DNS name that points to the global IP address of
    your NAT-router and which is the server address that is used by the remote
    clients.

    Copy the VPNHostCert.pem to the directory /etc/ipsec.d/certs

    $ sudo cp VPNHostCert.pem /etc/ipsec.d/certs

    We are now ready with creating the needed certificates.

    Delele all .pem files in /pi after copying to your devices
    ipsec.d is not accessible afterwards
    $ rm *.pem


    To delete a Cert or Key, you have explicitely indicate the file
    $ sudo rm /etc/ipsec.d/cacerts/caCert.der


    ===============================CONFIGURATIONS===== ==============================

    Code:
    ----------------------
    file /etc/sysctl.conf:
    ----------------------
    # Add to enf of the file, or SET in File
    
    net.ipv4.ip_forward = 1
    -----------------
    Some explanations
    -----------------
    The IP forwarding allows an operating system (Linux here) to forward packets
    as does a router or more generally to route through other networks.
    Enabling IP forwarding is often used when listening network
    (Man in the middle attack in particular) but also
    more simply when trying to make a Linux machine a router
    between several networks. Like here
    -----------------
    -------------------------
    file /etc/ipsec.secrets:
    -------------------------
    Code:
    # Add to enf of the file
    
    : PSK "123456#"             #(Gateway Preshared Key)
    alice : EAP "alicep1234"    #(MSCHAPv2 Username + Password)
    ----------------------
    file /etc/ipsec.conf:
    Copy full text to file
    ----------------------
    Code:
    # ------------------------------------------------------------------------------
    # /etc/ipsec.conf - strongSwan IPsec configuration file
    # left and right denote the two endpoints of an IKE_SA:
    #  * left means the local peer, i.e. the one on which the config file is stored
    #  * right is the remote peer
    #  --> left=local, right=remote
    # ------------------------------------------------------------------------------
    
    # https://wiki.strongswan.org/projects...igSetupSection
    # https://wiki.strongswan.org/projects...rConfiguration
    # The default log level for all subsystems is 1.
    config setup
        charondebug="ike 1, cfg 1"
    
    # https://wiki.strongswan.org/projects...ki/ConnSection
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        eap_identity=%any
    
    # https://wiki.strongswan.org/projects...ki/ConnSection
    conn BB10
        leftid=78.220.20.100
        #leftid=@xxx.freeboxos.fr
        left=%defaultroute
        leftfirewall=yes
        leftauth=psk
        leftsubnet=192.168.1.0/24
        right=%any
        rightsourceip=10.0.0.0/16
        rightdns=192.168.1.254
        rightauth=eap-mschapv2
        rightsendcert=never
        auto=add
    ---------------------------
    file /etc/strongswan.conf :
    ---------------------------
    (file is empty)

    -----------------
    Some explanations
    -----------------
    Many components of strongSwan have a modular design, features can be added
    or removed using a growing list of plugins:
    https://wiki.strongswan.org/projects...iki/PluginList
    The list of loaded plugins can be seen in the output of "ipsec statusall"
    Based on https://wiki.strongswan.org/projects...iki/PluginLoad
    The recommended way to enable or disable plugins is during compile time.
    --> strongswan.conf is empty
    # https://wiki.strongswan.org/projects...StrongswanConf

    ===================================IPTABLES======= ==============================
    Adjustments to IPTABLES, so that the Pi maps the traffic of the VPN network
    to its physical network adapter:
    http://inai.de/images/nf-packet-flow.png

    Code:
    $ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
    $ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
    To allow LAN nodes with private IP addresses to communicate with external
    public networks, configure the firewall for IP masquerading,
    which masks requests from LAN nodes with the IP address of the
    firewall's external device
    The rule uses the NAT packet matching table (-t nat) and specifies the
    built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's
    external networking device (-o eth0).
    The -j MASQUERADE target is specified to mask the private IP address
    of a node with the external IP address of the firewall/gateway.

    ----------
    Save Rule
    ----------
    iptables persistent, there is a package with the name "iptables-persistent"
    which takes over the automatic.
    To do this, the rules must be saved in the file /etc/iptables/rules.v4

    Code:
    $ sudo apt-get install iptables-persistent
    
    To list out all of the active iptables rules in a table
    $ sudo iptables -L -v
    
    To list out all of the active iptables rules by specification
    $ sudo iptables -S
    ============================CONFIGURATION ON BB10===============================
    -------------------
    Code:
    Profile Name             : home
    Server Address           : 78.220.20.100
    Gateway Type             : Generic IKEv2 VPN Server
    Authentication Type      : EAP-MSCHAPv2
    Authentication ID Type   : IPV4 
    ID Authentication        : alice            (not used can be enything) 
    MSCHAPv2 Username        : alice            (-->username in ipsec.secrets)
    MSCHAPv2 Password        : alicep1234       (-->alice pasword in ipsec.secrets)
    Gateway Auth Type        : PSK
    Gateway Auth ID Type     : IPv4
    Gateway Preshared Key    : 123456#    (-->PSK password in ipsec.secrets)       
    
    *everything else default!
    
    PFS : NO
    Automatic IP address : YES
    Automatic DNS : YES
    Automatic Algorith : YES
    ======================CONFIGURATION ON YOUR NAT-ROUTER==========================

    Ports to open on your Router !!
    UDP 500,4500 --> Destination to @VPN_Pi

    =====================================TOOLS======== ==============================
    ssh tool
    MobaXterm free Xserver and tabbed SSH client for Windows

    =====================================DEBUG======== ==============================
    ------
    ipsec
    ------
    Having changed the config files of StrongSwan we need to start or restart
    the daemon with the specific command:
    $ sudo ipsec start
    $ sudo ipsec restart

    To see if the configurations are correctly loaded, you can view the status
    of the StrongSwan service with:

    $ sudo ipsec statusall

    To check if the eap-mschapv2 plugin is loaded,as the DES and MD4 algorithms

    $ sudo ipsec listall

    -----
    Logs
    -----
    The main starting point should be the logs stored in /var/log/syslog
    where StrongSwan also writes the sequences and exchanged information during
    establishing a VPN connection.
    If you read the lines carefully you will get a good hint of what went wrong.

    Prefered solution in order to avoid to lose some starting information, is to
    set in ipsec.conf file
    config setup
    charondebug="ike 1, cfg 2"

    ------------------
    tcpdump
    ------------------
    https://wiki.strongswan.org/projects...ectTrafficDump
    Example

    To ADD iptables: ingress IPsec and IKE Traffic rule
    $ iptables -t filter -I INPUT -p esp -j NFLOG --nflog-group 5
    $ iptables -t filter -I INPUT -p ah -j NFLOG --nflog-group 5
    $ iptables -t filter -I INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5

    To Delete
    $ sudo iptables -D INPUT 3

    tcpdump
    By default, tcpdump captures only the first 68 octets of each packets.
    This can be changed with the snaplen "-s" parameter.
    "-s 0" disables the cutting off.
    By default tcpdump dumps the contents of each packets as text lines
    on the console. The parameter "-w" can be used to let it write binary
    data of the packet to a file instead.
    (Preferred if the data has to be analysed later, e.g. with Wireshark).

    tcpdump -s 0 -n -i nflog:5 -w /tmpd/trace.pcap

    ==================================REF============= ==============================
    Many thanks to "Tobias Brunner" main developper of StrongSwan, for his help
    +
    Information :
    WARIO's : VPN server for Blackberry 10
    How to configure Ubuntu as IKEv2 VPN server for Blackberry OS 10 ? DXSdata
    https://www.raspberrypi.org/forums/v...c.php?t=101673
    https://www.zeitgeist.se/2013/11/22/...-your-own-vpn/
    Howard Guo's blog: Create a VPN server for Blackberry Playbook (or Blackberry 10) using StrongSwan
    Raspberry Pi 2 as VPN gateway in a home network for Windows Phone 8.1 with StrongSwan, IKEv2 and EAP MSCHAPv2 authentication
    https://wiki.strongswan.org/projects.../IKEv2Examples
    openSolaris 2008 - Protecting a VPN With IPsec - System Administration Guide: IP Services
    https://wiki.strongswan.org/projects...rDocumentation
    https://support.purevpn.com/how-to-s...ckberry-10-2-1

    ================================================== ==============================
    Wow!!!

    Posted via CB10
    04-25-17 08:23 AM
  13. Leyra B10's Avatar
    Thanks for this.

    Posted via CB10
    08-19-17 10:41 PM
  14. Leyra B10's Avatar
    I have used cisco from bbworld, need copies of the licenses.

    Posted via CB10
    08-19-17 10:47 PM

Similar Threads

  1. cant send photos and videos on my whats app
    By CrackBerry Question in forum Ask a Question
    Replies: 3
    Last Post: 06-16-16, 12:28 PM
  2. BlackBerry Passport Parts!
    By evecu in forum BlackBerry Passport
    Replies: 1
    Last Post: 06-16-16, 09:02 AM
  3. Replies: 1
    Last Post: 06-16-16, 08:41 AM
  4. Replies: 1
    Last Post: 06-16-16, 06:56 AM
LINK TO POST COPIED TO CLIPBOARD