Blackberry IPsec

Eugene

Indeed, looked at my blackberry and found IPSec configuration.
Help me understand a concept and I'll try to establish a tunnel between Blackberry and pfSense.
What is my subnet? What would be interesting traffic? I suppose on pfSense I have to configure it as mobile client?

jimp

You may need to look a this:

http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

And then see if you can find equivalent options. It may not work until 2.0 though because many of the options to automatically supply connecting mobile clients with settings automatically are not present in 1.2.x

Eugene

Yes, I have mobile clients set up on one box, it works perfectly with remote sonicwalls that from time to time change their public IPs. So I am familiar with this set up…
I am asking about Blackberry side - I see how I can specify phase1 and 2 parameters and remote gateway, but how do I test connection?

Eugene

I am not sure I am successful in establishing this tunnel, I have in logs:

Apr 21 11:16:43 	racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
Apr 21 11:16:43 	racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"
Apr 21 11:16:43 	racoon: INFO: IPsec-SA established: ESP 38.99.x.x[0]->38.104.y.y[0] spi=1762534647(0x690e24f7)
Apr 21 11:16:43 	racoon: INFO: IPsec-SA established: ESP 38.104.y.y[0]->38.99.x.x[0] spi=126348917(0x787ee75)
Apr 21 11:16:43 	racoon: INFO: no policy found, try to generate the policy : 192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 21 11:16:43 	racoon: INFO: respond new phase 2 negotiation: 38.99.x.x[0]<=>38.104.y.y[0]
Apr 21 11:16:43 	racoon: INFO: ISAKMP-SA established 38.99.x.x[500]-38.y.y[17099] spi:bc62ffb728410b16:5f00c2f5fba2145e
Apr 21 11:16:43 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Apr 21 11:16:43 	racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 21 11:16:43 	racoon: INFO: received Vendor ID: DPD
Apr 21 11:16:43 	racoon: INFO: begin Aggressive mode.
Apr 21 11:16:43 	racoon: INFO: respond new phase 1 negotiation: 38.99.x.x[500]<=>38.104.y.y[17099]

So I have SPD and SAD on pfSense, BB shows 'logged in' but How can I actually test it? -)

Eugene

Forgot to add, I saw encrypted traffic (but one way only):

11:18:45.011212 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x1), length 76
11:18:47.036172 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x2), length 76
11:18:49.080093 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x3), length 76
11:18:53.171444 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x4), length 76
11:18:57.283697 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x5), length 76
11:19:01.310786 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x6), length 76

jimp

It looks like it's trying to route the entire internet over that IPsec tunnel. Is that an option on the BB, or something you were trying to do deliberately?

You might try setting it to only talk to the remote subnet of the pfSense box. You should be able to test it by doing a ping (if you can?) or perhaps loading a web page on a locally hosted site by using its internal IP address. I'm not sure what the BB will let you do.

Eugene

Whatever I try I get this:```
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"

Can you explain that?

192.168.7.184/32 is local IP assigned to my BB via WiFi.
I installed ssh-client on my BB but this traffic does not go into ipsec tunnel.

Eugene

I've found how to ping from BB. So we have the tunnel definitely alive.
I see ESP packet from BB terminates on WAN of my pfSense then it is decrypted - icmp request to a device on my LAN, device responds, it is encrypted by pfSense, sent ESP back to Blackberry and here this packet dies, I have time out. I have neither idea why it dies nor means to troubleshoot packet flow inside Blackberry. The same happens with traffic to RIM BIS server.
I think I failed to resolve this problem thought it was nice experiment.

jimp

@Eugene:

Whatever I try I get this:```
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"

Can you explain that?

That's a normal message for certain configurations. It just means that it doesn't already have that policy active, so it will try to make one.

samer79

Is it possible to have a sample configuration of the BB IPsec?

Thanks.

Eugene

I have Bold 9000.
First go to Options->Security Options-> VPN and create VPN connection.
Name=ChooseAName
Gateway type="CheckPoint".
Concentrator IP address=your pfSense WAN IP
Username=does not matter
User password=put your shared secret here
IP address and Subnet mask: try to put here network range you are trying to reach (it's network behind pfSense)
All IKE and IPSec parameters to be configured to match your pfSense settings.
Save this VPN-connection.

Go to Options->Security Options->WiFi Connections and configure your WiFi connection. In VPN part of this connection entered in VPN config (ChooseAName).
That is it. First connect to WiFi, then in Options->Security Options->VPN you can activate/deactivate VPN (which is ipsec tunnel).