Blackberry IPsec



  • Hi,

    I am looking to connect my blackberry bold 9000 to Pfsense vpn using IPsec. Does anyone succeeded to do that? What is the most compatible hardware with Pfsense (cisco pix, Avaya, Cisco VPN concentrator).

    Thanks.



  • In what way are you going to use this tunnel? just curious…


  • Rebel Alliance Developer Netgate

    @samer79:

    Hi,

    I am looking to connect my blackberry bold 9000 to Pfsense vpn using IPsec. Does anyone succeeded to do that? What is the most compatible hardware with Pfsense (cisco pix, Avaya, Cisco VPN concentrator).

    Thanks.

    I have connected pfSense to Cisco PIX and VPN Concentrators before, as well as Linksys devices, Netgear, and all kinds of others. IPsec is a pretty wide standard, but unfortunately some of the mobile clients can be a little hard to deal with. The iPhone IPsec client, for instance, does not work with pfSense. I haven't heard either way about the Blackberry device.



  • Indeed, looked at my blackberry and found IPSec configuration.
    Help me understand a concept and I'll try to establish a tunnel between Blackberry and pfSense.
    What is my subnet? What would be interesting traffic? I suppose on pfSense I have to configure it as mobile client?


  • Rebel Alliance Developer Netgate

    You may need to look a this:

    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    And then see if you can find equivalent options. It may not work until 2.0 though because many of the options to automatically supply connecting mobile clients with settings automatically are not present in 1.2.x



  • Yes, I have mobile clients set up on one box, it works perfectly with remote sonicwalls that from time to time change their public IPs. So I am familiar with this set up…
    I am asking about Blackberry side - I see how I can specify phase1 and 2 parameters and remote gateway, but how do I test connection?



  • I am not sure I am successful in establishing this tunnel, I have in logs:

    Apr 21 11:16:43 	racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
    Apr 21 11:16:43 	racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"
    Apr 21 11:16:43 	racoon: INFO: IPsec-SA established: ESP 38.99.x.x[0]->38.104.y.y[0] spi=1762534647(0x690e24f7)
    Apr 21 11:16:43 	racoon: INFO: IPsec-SA established: ESP 38.104.y.y[0]->38.99.x.x[0] spi=126348917(0x787ee75)
    Apr 21 11:16:43 	racoon: INFO: no policy found, try to generate the policy : 192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in
    Apr 21 11:16:43 	racoon: INFO: respond new phase 2 negotiation: 38.99.x.x[0]<=>38.104.y.y[0]
    Apr 21 11:16:43 	racoon: INFO: ISAKMP-SA established 38.99.x.x[500]-38.y.y[17099] spi:bc62ffb728410b16:5f00c2f5fba2145e
    Apr 21 11:16:43 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Apr 21 11:16:43 	racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Apr 21 11:16:43 	racoon: INFO: received Vendor ID: DPD
    Apr 21 11:16:43 	racoon: INFO: begin Aggressive mode.
    Apr 21 11:16:43 	racoon: INFO: respond new phase 1 negotiation: 38.99.x.x[500]<=>38.104.y.y[17099]
    

    So I have SPD and SAD on pfSense, BB shows 'logged in' but How can I actually test it? -)



  • Forgot to add, I saw encrypted traffic (but one way only):

    11:18:45.011212 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x1), length 76
    11:18:47.036172 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x2), length 76
    11:18:49.080093 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x3), length 76
    11:18:53.171444 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x4), length 76
    11:18:57.283697 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x5), length 76
    11:19:01.310786 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x6), length 76
    
    

  • Rebel Alliance Developer Netgate

    It looks like it's trying to route the entire internet over that IPsec tunnel. Is that an option on the BB, or something you were trying to do deliberately?

    You might try setting it to only talk to the remote subnet of the pfSense box. You should be able to test it by doing a ping (if you can?) or perhaps loading a web page on a locally hosted site by using its internal IP address. I'm not sure what the BB will let you do.



  • Whatever I try I get this:```
    Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
    Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"

    Can you explain that?
    
    192.168.7.184/32 is local IP assigned to my BB via WiFi.
    I installed ssh-client on my BB but this traffic does not go into ipsec tunnel.


  • I've found how to ping from BB. So we have the tunnel definitely alive.
    I see ESP packet from BB terminates on WAN of my pfSense then it is decrypted - icmp request to a device on my LAN, device responds, it is encrypted by pfSense, sent ESP back to Blackberry and here this packet dies, I have time out. I have neither idea why it dies nor means to troubleshoot packet flow inside Blackberry. The same happens with traffic to RIM BIS server.
    I think I failed to resolve this problem thought it was nice experiment.


  • Rebel Alliance Developer Netgate

    @Eugene:

    Whatever I try I get this:```
    Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
    Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"

    Can you explain that?
    

    That's a normal message for certain configurations. It just means that it doesn't already have that policy active, so it will try to make one.



  • Is it possible to have a sample configuration of the BB IPsec?

    Thanks.



  • I have Bold 9000.
    First go to Options->Security Options-> VPN and create VPN connection.
    Name=ChooseAName
    Gateway type="CheckPoint".
    Concentrator IP address=your pfSense WAN IP
    Username=does not matter
    User password=put your shared secret here
    IP address and Subnet mask: try to put here network range you are trying to reach (it's network behind pfSense)
    All IKE and IPSec parameters to be configured to match your pfSense settings.
    Save this VPN-connection.

    Go to Options->Security Options->WiFi Connections and configure your WiFi connection. In VPN part of this connection entered in VPN config (ChooseAName).
    That is it. First connect to WiFi, then in Options->Security Options->VPN you can activate/deactivate VPN (which is ipsec tunnel).


Log in to reply