BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!

downtown

I got this working with the instructions by dguy and rules added by newbie1975.  Exception: item number 2 by newbie1975 didn't apply to my setup as I don't use Manual Outbound NAT.

One hitch:  When I tap the connection to connect on the BB10, I get the message: VPN connection [[i]Connection Name] requires additional information.  When I click Continue it works fine.

pfSense: 2.1.4-RELEASE
Blackberry: Z10 10.2.1.2977

newbie1975

@downtown: Do not recognise message "VPN connection [Connection Name] requires additional information". Some not mandatory information/settings must be missing on PfSense or Blackberry?

URL (https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0) recommends encryption algorithm AES 128 and hash algorithm SHA1 (both for phase 1 and 2). I have "upgraded" my PfSense settings AND Blackberry settings to AES256 and SHA256 (both for phase 1 and 2). All is working fine! I do not understand why the link mentions SHA1 (for phase 2 it even says SHA1 only) as I have read that SHA1 may have flaws and as SHA256 also seems to work fine for me.

===

Might not be the right forum for my following question, but I do not know any (other technically oriented) website for Blackberry connection/vpn issues.

Currently my Blackberry is configured to automatically connect to my router over vpn (ipsec) when mobile data is enabled, but not when using my home wifi (as PfSense is taking care of a vpn connection for all clients). Normally Blackberry first tries to connects to any known wifi networks and when not available it uses a mobile data connection. But it seems that this connection order is overruled when a vpn is configured to automatically connect (which I have configured with mobile data). Now I have to manually disable mobile data connection in order to use my wifi. Maybe somebody solved this minor inconvenience?

i68040

@newbie1975:

Any else have there Blackberry Z10 working with Pfsense? What settings do you use?

I use a BlackBerry Q10 and documented what I did to get this working here: http://boredwookie.net/index.php/blog/how-get-pfsense-ipsec-vpn-work-bb10/

The main things that I did differently than your configuration were:

• Configuring a Squid proxy so I can browse the internet when using the VPN
• Manually assigning the DNS Server in the device profile on my BlackBerry instead of relying on Mobile Settings (which didn't work)

newbie1975

After upgrading today to pfSense 2.2 my ipsec connection no longer works as expected. My mobile does connect, but no longer internet traffic is sent through the ipsec tunnel. All internet traffic is sent directly through my mobile 3g subscription. Seems related to: https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes

"Behavior changes where an incorrect configuration that worked before no longer will – There may be things that worked with racoon which were technically not configured correctly, but still worked. The only instance of this we’ve seen is for mobile IPsec clients, where Internet traffic could pass in some circumstances without having specified 0.0.0.0/0 as the local network in the mobile phase 2 configuration. If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0.0.0.0/0 as the local network."

I have changed my phase 2 local subnet from LAN to 0.0.0.0/0 but then my Blackberry Z10 will not connect anymore.

Also tried to switch from agressive mode to main mode:

Changes in behavior because of this change may trigger bugs in remote endpoints that weren't previously an issue. Those using racoon (pfSense 2.1.x and earlier, among a variety of other similar products) on remote endpoints with aggressive mode may encounter a bug in racoon related to NAT-D and aggressive mode. Any site to site IPsec VPNs using aggressive mode with racoon as a remote endpoint should change to main mode to prevent this from being an issue. Main mode is preferable regardless.

But this also does not work. My mobile will not connect anymore. Maybe related to: https://forum.pfsense.org/index.php?topic=87281.0
PSK does not seem to work with main mode?

Anyone have the same issues and maybe a solution in order to force all internet traffic from Blackberry 10 through ipsec tunnel?

downtown

@newbie1975

Same here.  Upgraded and now no connection.  I'm getting a timeout.  The logs say that I'm authenticated, but then I get a timeout.

newbie1975

I did roll back to 2.1.5. Currently 2.2 does not seem production ready regarding ipsec.

ThomasB

Could the problem be solved by the new 2.2.1 version?

Thanks!

newbie1975

No. Did not work for me on 2.2.1 or 2.2.2. I am not upgrading, staying with 2.1.5. There are still too much issues with ipsec on 2.2.1 / 2.2.2.

ThomasB

It seems that 2.2.4 is much better than the previous versions.

Has anyone tested the new scenario? Otherwise I'll give it a try.

newbie1975

Did not try. At the moment I do not have time for testing. I very curious about your testing! Are you going to test a direct upgrade of 2.1.5 to 2.2.4? Also very curious if ipsec ikev2 is working with BlackBerry.

Good luck with testing!

ThomasB

I will build a basic testing system with new hardware and a fresh 2.2.4 pfSense.

At the moment the only problem is that our dealer can't deliver the ordered hardware. So we (our company & the thread followers  :P) have to wait approximately two or three weeks.
Nevertheless I am quiet optimistic  :)

If there are any other tests or known issues or working systems (@ BlackBerry OS 10.3), please leave a note in this thread.

newbie1975

@ThomasB: any updates re your basic testing  system and Ipsec/BlackBerry VPN connections?

TKenny

FWIW, I just started with pfsense on version 2.2.4 and cannot get it to work either.

I tried the boredwookie tutorial and got the same results as others (ipsec log says its connected fine, it sends a packet to the IP assigned to the z10 and then the Z10 sits there until timeout).

version 2.2.4 has an option in Phase 1 for key exchange version which I tried with 2 (I'm a newb but I assume that means Ikev2) and I get the exact same result when i try to connect with a generic IkeV2 profile with the Z10.

I may just redo my pfsense with version 2.1.5 since the rest of you seem to have  it working there.  What version of firmware are you guys using on your bb devices?  I can just see an update breaking it on the BB side too :(

Only other thing I notice is that while the BB is timing out it doesnt have the IP address the ipsec log says was assigned to it, so that might be a clue.

TKenny

OK, I have IPSec Ikev2 with PSK authentication working on pfsense 2.2.4 on my Z10 STL100-3 with software version 10.3.2.2474.

It works on my cell data connection as well as when Im on wifi in the same room as my router.

I consider this an intermediate step on the way to using certificates instead of PSK which I hope to get working soon.

A little about my (newb) setup:

Domain is:
pfsense.mydomain.com

gateway is 192.168.0.0 so router is at 192.168.0.1
I also run open vpn and that is set to use 10.10.8.0

I dont run a proxy server
I use NxFilter on a separate box as a DNS to do my ad filtering.
Someday I will connect my router to PIA to share its VPN with everyone but I don't need that yet.

Im just gonna post screenshots of my setup in the hope it helps people.  I guess they will come in after the text so I hope you can follow.  Anyone who has followed this thread will recognize all the screens anyway.

"Tunnels_1"

Note AES 256 is the highest I could do.  DH Key group can also only be 1024 bit which is a shame (see bit about logjam vuln here: https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations)

edit see my remarks at the end, you can do better than DH 1024bit.

User distinguished name is important and is used on the Z10 and in the Pre-shared keys later on.

"Tunnels_2"

Not much to say here.  I used 0.0.0.0 for local network like everyone else does.
I set my Phase 2 encryption options to match what was in phase 1.

"MobileClients"

Note the network setting.  I use 10.10.8.0 for openvpn so I used 10.10.7.0 here.

"Presshared Keys"

Note Identifier is the same as distinguished user name from phase 1

I found if I had more than one entry here I couldn't connect on my BB but that may be a fluke.

"AllowAllIPSECRule"

Just the same rule everyone else on this thread is using.  I log it so I can diagnose.

"NAT_outbound"

The "IPsec home vpn" one is from bored wookie's tutorial but I dont seem to need it so I have it disabled.

Note in the automatic rules below, 10.10.7.0 appears in both rules.  I think this was added automatically by the earlier setup but it needs to be there.

"various IMG files":

Whip out your Z10 or (hopefully) other BB device.  You will add a VPN connection for gateway type: "Generic Ikev2 VPN Server"

The important thing is you will enter the distinguished user name and key from the Pre-shared keys page in two places (Authentication ID and gateway).  Why?  I dont know.  My advice it worth what you are paying for it and maybe this leaves some raging security hole.  Use PSK for both Auth types as shown

You must specify your own DNS.  8.8.8.8 (google dns) works fine if you cant think of anything else. I think maybe you can just enter your gateway if you don't have your own DNS (in my case that would be 192.168.0.1)

I had a hard time with this DNS part during my fiddling about.  I think the Z10 is caching the DNS queries making it hard to figure out when its calling a particular server.  It looks like if you make a new private browsing window on your BB device each time you test your connection, you won't get misleading results.

Here are three screenshots covering the entire setup.  Try not to misspell your connection name like I did because  you cant change it later.  :P

"Log"

Here is a screenshot of the IPSec log for a successful login.  Note that about 5 rows down its asking for certificates.  Don't know why thats happening but hopefully its not effecting anything.  Actually its probably because I used a domain name when I setup the connection in the Z10.

I hope this helps some of you.  I was about ready to throw my (otherwise well liked) Z10 out the window.

I doubt I can help much with anyone else's setups but if I have ideas to share I will.

Next I will work on certificates…

edit  Looks like you gotta be logged in to see the images.  Hope they work for others

edit The VPN connection seems to bag on my battery like crazy during the day.  It reminds me of the days before push email, so I edited the Dead peer connection settings in phase 1 to run every 600 seconds instead of every 10.  Made the same change on the Z10 vpn config and battery usage seems better.

edit Turns out you can vastly increase cipher,hash and DH group values after all.  The problem is the Z10 won't detect them automatically so you have to enter them manually.  I have AES 256 cipher on Phase 1 and 2, SHA384 on Phase 1 and 2 and DH Group 21 on phase 1 and 2.  The only interesting thing is on the Z10 with that config you must set IKE PRF to HMAC-SHA384 (there doesnt seem to be a counterpart to that value on the pfsense side).  Otherwise the rule is "make stuff match as you change values".  I'm out of my depth knowing how high these values need to be but I guess SHA 384 is "quantum computing resistant" which sounds pretty cool.

I doubt I will push through with certs.  Its a security concern to send a PSK password the way I have it setup now but I am just one man who wants to access his router.  Im sure it can be done and I will throw some links below to those who want to try.  In the short time I worked on it I noticed that I could not get access to the "certs" folder on my Z10 which was OK because I could drop the p12 formatted cert into my documents folder and import from there but the pfsense wizard makes certs with no password and the Z10 wont let you not enter a password.  So I think you gotta go command line to make the cert and I doubt I have the time.

Anyway I was cheating off these links for those who want to push on:

Theory:
https://market-ticker.org/akcs-www?post=220395

How to get client certs onto Z10 (couldnt get this to work myself):
https://support.globoplc.com/support/index.php?/Knowledgebase/Article/View/1364/0/client-certificates-on-blackberry-10-devices

pfsense specific instructions for android that you can integrate with the information above:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Certificate_Authority

I think and will do my current setup until I get another phone.

Very sad to see the only truly secure phone vendor end up this way :(


newbie1975

Yesterday I upgraded from 2.1.5 to 2.2.5*. As experienced before I expected the ipsec connection (ikev1) not to work with BlackBerry anymore after the upgrade. Afterwards very happy that I tried, because it did not break! The BlackBerry still connected and was able to surf the internet! Do not understand. But something must have changed. Maybe during 2.2 to 2.2.5 on pfSense. Maybe on BlackBerry (currently on 10.3.2.2474). Also do remember to have changed local subnet in phase 2 from LAN to 0.0.0.0/0 when trying to get the ipsec working on 2.2. upgrade. So above mentioned instruction for pfSense and BlackBerry using ipsec (ikev1) still seem valid!

Also tried IKEv2 as described by TKenny. Also did work! Thank you for your post!

I like to be better safe then sorry, so hopefully somebody does have some answers on some of the (security) question I have:

1. TKenny mentions: "Its a security concern to send a PSK password the way I have it setup now" Why is that? Only because all client are using the same PSK? So, if one client is compromised all are? Or are there other security issues with this set up? I do use a long/safe passphrase for PSK.
2. TKenny mentions DH group 21, which is nist-ecb521. I believe ECC is mentioned regarding NSA documents (I am not sure, not being a crypto expert). Also NSA itself seems to step away from ECC:  http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html. Therefore I am using a non-ecc option.
3. Can anybody enlight me about using the same PSK on the BlackBerry (for "preshared key" and "gateway preshared key"). I do not understand the difference (and if it does has effect on security). Is it possible to use different PSK (each for a different user)? Anybody already tried?
4. Would love to hear from somebody a working PKI certificate solution. Might give it a try when I have more time based on the work and links already provided by TKenny.
5. In contrast to TKenny I have enabled MOBIKE. Hope this has effect on keeping the vpn connection alive. Currently I do experience rather quick vpn-disconnections (every few minutes I have to manual reconnect). EDIT1

Currently I am in doubt to continue to use IKEv2 as I do miss the ability to individually authenticate multiple BlackBerry users as Xauth + mutual PSK on BlackBerry is only offered with the IKEv1 (Cisco Secure PIX Firewall) version (although I do understand that the aggressive mode I am using in IKEv1 is a security flaw also to be avoided).

---

With the current possibilities and security issues and my need for multiple BlackBerry users to connect which should I favor for the time being: IKEv1 or IKEv2?

---

• Might help somebody: before upgrading this time I did follow instructions and first removed all packages. That helps! Not a instruction but seems to help when you are on location: first disabled all openvpn/ipsec server/client connections and afterwards did enable the server/client vpn connnetions.

EDIT1: DPD Frequency did not match on pfSense with BlackBerry. Adjusted both to 240 seconds. Now it does not disconnect every few minutes.

TKenny

Newbie1975: "Yesterday I upgraded from 2.1.5 to 2.2.5*"

I was thinking about this thread when I saw that 2.2.5 was released because it seems like they did a lot of work on IPSEC from the release notes:

https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes

.. Especially the line: "Brought back "auto" IKE version and fixed problems with its previous implementation."

Newbie1975:"Also tried IKEv2 as described by TKenny. Also did work!"

You gave me the courage to upgrade my pfsense.  At first I could connect but no network traffic got through.  Lots of cursing and reboots and a long sleep and it just seems to be working again.  Pfsense likes to take its time to chew on things when you make changes which makes setup frustrating.  I notice that if I specify the DNS server on the BB now, internet doesn't work but if I set it to auto it does work.  Weird.  I specify the DNS in the Mobile Client setup which means things are working a little bit more like you would expect I guess.

I should have taken your advice about shutting down the services before upgrade.  Maybe things would have gone better for me.

Newbie1975: "Its a security concern to send a PSK password the way I have it setup now"

I should have worded that better and said: "I'm concerned about only using 1 shared key in my setup".  I have no idea what kind of dangers I am creating by allowing this and I have the same concerns Newbie1975 does.

Newbie1975: "Can anybody enlight me about using the same PSK on the BlackBerry (for "preshared key" and "gateway preshared key")."

this

I worry about it too.  Did you try just adding another pre-shared key in the pfsence ipsec setup area?  If I just add the key and restart the service, the BB won't log in anymore.  Just the existence of the key messes things up.  I don't understand whats happening there at all.

I managed to set my DPD to 1200 seconds (in the hope it would save battery somehow) and at least on 2.2.4 it seemed to stay connected for a long long time.  As you mentioned, you gotta match on the BB and pfsense side or it won't work.  It seemed like I could change NAT keep alive to 90 or even 120 seconds but my results there have been more mixed.    My battery seems to have started losing charge fast with or without vpn so I have some new batteries coming in the mail from crackberry (they are cheaper on ebay but I worry about fakes).

I'm sure with some elbow grease the cert authentication can be made to work.  In fact I may have to try again because I am messing around with putting a cyanogen rom on an old android phone and the open VPN doesn't work on it for lack of a tun driver.  Because I cannot support two clients with the IKEv2 setup described I may have to work some more :)  I think it will come down to making the cert in the command line on pfsense so it can have a password so you have something to enter into the BB.  What a needless pain in the ass…

newbie1975

@TKenny:

I notice that if I specify the DNS server on the BB now, internet doesn't work but if I set it to auto it does work.  Weird.  I specify the DNS in the Mobile Client setup which means things are working a little bit more like you would expect I guess.

I have disabled "Automatically determine IP" on the BlackBerry and provided my pfSense internal IP (192.168.1.1). Seems to work on my mobile data. Still has to verify this on other wifi network. But shouldn't make a difference.

@TKenny:

Did you try just adding another pre-shared key in the pfsence ipsec setup area?  If I just add the key and restart the service, the BB won't log in anymore.  Just the existence of the key messes things up.  I don't understand whats happening there at all.

Did you also use a different Identifier on pfSense and the second BlackBerry? I will try when I have more time. Then trying will be learning  ;) Will share when I know more.

TKenny

Newbie1975: "Did you also use a different Identifier on pfSense and the second BlackBerry?

This was just me trying to have a second Pre shared key defined in pfsense.  Not even using it for anything yet and it would break the login from the BB phone.  No difference in the ipsec log file either.  It showed everything was running smoothly but the BB would give authentication error.

Anyway I spent way to much time monkeying around with certs today with nothing to show for it.  I dont know if it can be made to work.  I know more than I did but not enough to share much useful :(

I did play more with this "multiple users" problem and here is what I came up with on my one phone.

See the screenshots:

Here are some preshared keys.  I will use another@mydomain.com for the example.

Then look at the phase 1 setup screenshot.  I use a user named judy@mydomain.com there.  Thats not a pfsense user or a preshared key, its just a name I typed in that box

Then in BB setup, you can see I have another@mydomain as the user and judy@mydomain for the gateway.  The wrinkle is pfsense doesnt seem to give me anywhere to enter the password for judy.  In the BB you have to use the same password for judy@mydomain.com that you use for another@mydomain.com (jjjjj in this case) and it will connect.  Anything else I tried and it wont connect.

Later you can switch the "Authentication ID" in the BB to bbUser@mydomain.com (remember to change password to iiiii for both them and judy@mydomain.com in "Gateway Auth ID" as well for the example to work).

So that gets you multiple users with IkeV2 but you are still only using one password for each user for some reason with no password on the gateway.  I tried changing Phase 1 to "Mutual PSK + XAuth" but didnt have any luck yet.  Maybe something can be done there.

Anyway, if I had another BB phone I would probably be able to show both another@mydomain.com and bbUser@mydomain.com logged in at the same time,  so we are inching forward at least.

At this point, my main concern is getting both the BB and my old droid phone connected to vpn on pfsense somehow.  I will go back to IKEv1 if I need to :) but hopefully I can work something out with IKEv2

Cheers.


TKenny

Wanted to check in again to say that I haven't had any luck with certificate based connections.

I got something working between pfsense and Android using certs as outlined here and used what I learned to take another run at the blackberry:

https://forum.pfsense.org/index.php?topic=103650.0

Anyway for those looking to carry on, here are some notes from the trail:

• The BB likes certificates in the .pem or .p12 format.  But you can only export a CA cert from pfsense in .crt format.  Just rename it and change the extension to .pem and the BB will import it :)

• Next, the BB wants to know the password when you import a .p12 cert.  Not entering one is not allowed by the BB and pfsense won't let you add one.  I was working by exporting client certs in .p12 format and then converting the cert to .pem format using this:

  https://www.sslshopper.com/ssl-converter.html

  Obviously not cool for production systems, but fine for fiddling around.  The page lists the linux command to do it on pfsense but then you will have to figure out how to get it off pfsense.

• I could not for the life of me figure out how to get access to the "certs" folder in the BB's file system (I'm on the Z10 BTW) so I just put certs into the documents folder with a USB or wifi connection and in:

  Setup => Security and Privacy => Certificates

  .. you can import certs.

• So I tried to connect using the certs I made for the Android phone (see earlier link).  I figured I could use "Generic IKEv2 VPN" and use EAP-TLS for the Gateway type since thats what I did there.  There is a Gateway Auth type selector in there as well that I dont have on the Android phone and I dont know what to put in there.  It could be a simple PSK key.  Or maybe even selecting "None" will work but I don't know because if I do…

• When I try to log on it hangs for a while and then says, "timeout".  The relevant log entry seems to be: generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] which seems to be a certificate problem and not with the client one either.  I see things online about missing "serverAuth in EKU" causing this but I think its in my CA cert though Im not sure how to tell for sure.  Maybe converting these certs causes a loss of data or renaming the .crt file to .pem above doesn't work as well as I think

• If you go here:

  https://market-ticker.org/akcs-www?post=220395

  You can see a working solution involving certs and PSK.  looking at his examples he has an ipsec.conf file with:

  leftauth=pubkey
  rightauth=psk

  Which I cannot reproduce using the pfsense WEB UI.

  If you were really desperate I bet you could hand edit the file, but pfsense will overwrite it.  You could in theory do "chattr +i" on the file to stop it but man… thats just ugly...

I feel like Im real close with my approach though.  It seems like there is just something wrong with the CA cert, but Im out of gas.  Hopefully someone else will have some input :)

newbie1975

After upgrading to BlackBerry from 10.3.2 to 10.3.3. my vpn ikev2 connection (as described by TKenny on October 21, 2015, 11:34:40 pm) did not work anymore, although I did not change anything in the vpn setting (on BlackBerry or pfSense). Did get some authentication error, which I couldn't solve.

However, because I also had to upgrade my pfSense box from 32-bit to 64-bit in order to get the latest pfSense version, I tried again with my new acquired pfSense hardware box: just worked the first time after setting up pfSense and new vpn connection on BlackBerry.

So, just to confirm this set-up still works perfect (with BlackBerry 10.3.3 and pfSense 2.4.2)!