About

This is a short tutorial for creating a strongswan VPN server that blackberry (pre-Android) road warriors can connect to. The tutorial is written for Debian but any other distribution will do provided they have the necessary packages.

Requirements

In order to set-up strongSwan, you will need to install some packages using aptitude:

aptitude install strongswan strongswan-ikev2 libcharon-extra-plugins

where:

strongswan is the IPSec component that will be used.
strongswan-ikev2 is the IKEv2 protocol used by the blackberry
libcharon-extra-plugins is needed for eep-identity support required by the blackberry

The tutorial also assumes that you have a DHCP server running on the network you want the blackberry to connect to and that it is configured. If you have not already done so, please see dynamic DNS page which is an example of how to set up ISC DHCP along with ISC BIND for your network.

Configuring IPSec

First, set-up the shared secret and some passwords by editing /etc/ipsec.secrets and adding the lines:

: PSK "hun98"
vivi : EAP "zappto"

where hun98 will now be the shared secret (change this to whatever you like) and the next line creates an user vivi with the password zappto.

To configure IPSec, edit the /etc/ipsec.conf file and add or modify the following options:

config setup
	strictcrlpolicy=no
	uniqueids=yes

conn %default
	ikelifetime=60m
	keylife=20m
	keyexchange=ikev2
	dpdaction=clear
	dpdtimeout=10s
	dpddelay=10s
	compress=yes

conn rw
	rekey=no
	reauth=no
	leftsubnet=0.0.0.0/0
 	leftauth=psk
	leftid=vpn.fqdn
	leftfirewall=yes
	lefthostaccess=yes
	right=%any
	rightsourceip=%dhcp
	rightauth=eap-mschapv2
	eap_identity=%any
	forceencaps=yes
	auto=route

Notes

lefthostaccess will allow the UTM itself to use the tunnel and will enable a web proxy to operate when local clients access web-servers at the remote site as well as allowing DNS requests routing function through the tunnel.
leftfirewall will add INPUT / OUTPUT and FORWARD rules to the firewall - however, a firewall must be configured separately in order to open the necessary ports for OpenSwan to function.
forceencaps forces encapsulation and is a good thing to have when dealing with more restrictive firewalls.

Configuring strongSwan

Consider upgrading to at least strongswan 5.3 from sid - we have a tutorial on how to upgrade to unstable packages in Debian.

By upgrading you will get access to a new feature that will allow you to change the networks quickly without having any disconnects. If you have strongSwan 5.3 or greater, you can enable the make_before_break option in /etc/strongswan.d/charon.conf:

    # Initiate IKEv2 reauthentication with a make-before-break scheme.
    make_before_break = yes

DHCP

In order to have strongswan automatically assign an IP address using a locally installed DHCP, you will need to enable dhcp in /etc/ipsec.conf by changing the rightsourceip:

rightsourceip=%dhcp

After that the /etc/strongswan.d/charon/dhcp.conf has to be edited such that:

dhcp {

    # Always use the configured server address.
    force_server_address = yes

    # Derive user-defined MAC address from hash of IKE identity.
    identity_lease = yes

    # Interface name the plugin uses for address allocation.
    # interface = br0

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # DHCP server unicast or broadcast IP address.
    server = 192.168.1.255

}

assuming that 192.168.1.255 is the broadcast address of the interface that the DHCP server is listening on (retrievable using ifconfig).

In case you are running the DHCP server on a bridge with an interface such as br0, you may need to add the iptables rule:

iptables -t mangle -A POSTROUTING -o br0 -p udp -m udp --dport 67 -j CHECKSUM --checksum-fill

due to a bug in DHCP concerning virtual interfaces.

BlackBerry Settings

Setting Name	Value
Profile Name	does not matter
Server Address	the IP address or hostname of your VPN server
Gateway Type	Generic IKEv2 VPN Server
Authentication Type	EAP-MSCHAPv2
Authentication ID Type	IPv4
MSCHAPv2 EAP Identity	does not matter
MSCHAPv2 Username	`vivi` (username entered in `/etc/ipsec.secrets`)
MSCHAPv2 Password	`zappto` (password entered in `/etc/ipsec.secrets`)
Gateway Auth Type	PSK
Gateway Auth ID Type	Fully Qualified Domain Name
Gateway Auth ID	`vpn.fqdn` (the value of `leftid` in `/etc/ipsec.conf`)
Gateway Preshared Key	`hun98` (PSK, entered in `/etc/ipsec.secrets`)
Perfect Forward Secrecy	does not matter for IKEv2 (try checked)

The rest of the settings can be left as they are.

Firewall Configuration

Assuming that eth0 is the outbound interface with the IP 43.128.33.12:

the ESP protocol has to be allowed through the firewall:

iptables -A INPUT -i eth0 -p esp -j ACCEPT

the key management protocol has to be allowed for both TCP and UDP through the firewall:

iptables -A INPUT -i eth0 -p tcp --dport isakmp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport isakmp -j ACCEPT

we allow nat traversal through the firewall as well:

iptables -A INPUT -i eth0 -p udp --dport ipsec-nat-t -j ACCEPT

finally, if we want to masquerade traffic to clients through eth0, we add:

iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE

Table of Contents