Blackberry IPsec
-
You may need to look a this:
http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
And then see if you can find equivalent options. It may not work until 2.0 though because many of the options to automatically supply connecting mobile clients with settings automatically are not present in 1.2.x
-
Yes, I have mobile clients set up on one box, it works perfectly with remote sonicwalls that from time to time change their public IPs. So I am familiar with this set upโฆ
I am asking about Blackberry side - I see how I can specify phase1 and 2 parameters and remote gateway, but how do I test connection? -
I am not sure I am successful in establishing this tunnel, I have in logs:
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out" Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in" Apr 21 11:16:43 racoon: INFO: IPsec-SA established: ESP 38.99.x.x[0]->38.104.y.y[0] spi=1762534647(0x690e24f7) Apr 21 11:16:43 racoon: INFO: IPsec-SA established: ESP 38.104.y.y[0]->38.99.x.x[0] spi=126348917(0x787ee75) Apr 21 11:16:43 racoon: INFO: no policy found, try to generate the policy : 192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 21 11:16:43 racoon: INFO: respond new phase 2 negotiation: 38.99.x.x[0]<=>38.104.y.y[0] Apr 21 11:16:43 racoon: INFO: ISAKMP-SA established 38.99.x.x[500]-38.y.y[17099] spi:bc62ffb728410b16:5f00c2f5fba2145e Apr 21 11:16:43 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Apr 21 11:16:43 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Apr 21 11:16:43 racoon: INFO: received Vendor ID: DPD Apr 21 11:16:43 racoon: INFO: begin Aggressive mode. Apr 21 11:16:43 racoon: INFO: respond new phase 1 negotiation: 38.99.x.x[500]<=>38.104.y.y[17099]So I have SPD and SAD on pfSense, BB shows 'logged in' but How can I actually test it? -)
-
Forgot to add, I saw encrypted traffic (but one way only):
11:18:45.011212 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x1), length 76 11:18:47.036172 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x2), length 76 11:18:49.080093 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x3), length 76 11:18:53.171444 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x4), length 76 11:18:57.283697 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x5), length 76 11:19:01.310786 IP 38.104.y.y > 38.99.x.x: ESP(spi=0x0787ee75,seq=0x6), length 76 -
It looks like it's trying to route the entire internet over that IPsec tunnel. Is that an option on the BB, or something you were trying to do deliberately?
You might try setting it to only talk to the remote subnet of the pfSense box. You should be able to test it by doing a ping (if you can?) or perhaps loading a web page on a locally hosted site by using its internal IP address. I'm not sure what the BB will let you do.
-
Whatever I try I get this:```
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"Can you explain that? 192.168.7.184/32 is local IP assigned to my BB via WiFi. I installed ssh-client on my BB but this traffic does not go into ipsec tunnel. -
I've found how to ping from BB. So we have the tunnel definitely alive.
I see ESP packet from BB terminates on WAN of my pfSense then it is decrypted - icmp request to a device on my LAN, device responds, it is encrypted by pfSense, sent ESP back to Blackberry and here this packet dies, I have time out. I have neither idea why it dies nor means to troubleshoot packet flow inside Blackberry. The same happens with traffic to RIM BIS server.
I think I failed to resolve this problem thought it was nice experiment. -
Whatever I try I get this:```
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.7.184/32[0] proto=any dir=out"
Apr 21 11:16:43 racoon: ERROR: such policy does not already exist: "192.168.7.184/32[0] 0.0.0.0/0[0] proto=any dir=in"Can you explain that?That's a normal message for certain configurations. It just means that it doesn't already have that policy active, so it will try to make one.
-
Is it possible to have a sample configuration of the BB IPsec?
Thanks.
-
I have Bold 9000.
First go to Options->Security Options-> VPN and create VPN connection.
Name=ChooseAName
Gateway type="CheckPoint".
Concentrator IP address=your pfSense WAN IP
Username=does not matter
User password=put your shared secret here
IP address and Subnet mask: try to put here network range you are trying to reach (it's network behind pfSense)
All IKE and IPSec parameters to be configured to match your pfSense settings.
Save this VPN-connection.Go to Options->Security Options->WiFi Connections and configure your WiFi connection. In VPN part of this connection entered in VPN config (ChooseAName).
That is it. First connect to WiFi, then in Options->Security Options->VPN you can activate/deactivate VPN (which is ipsec tunnel).
