BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!

dguy

After a lot of trial and error I finally got this working and thought I would share.

My Settings…

Device: Blackberry Z10 (Software Release: 10.2.0.429)
Firewall: pfSense 2.1

The method that finally worked was using this document to a T.

https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

The device config that worked for me was the following:

BlackBerry Z10 Settings
Profile Name: Test
Server Address: 26.27.28.29 (couldn’t get to work with domain name)
Gateway Type: Cisco Secure PIX Firewall VPN
Authentication Type: XAUTH-PSK
Group Username: username@test.com
Group Password: Thisisjustatest
Hardware Token: OFF
Username: Tester
Password: 12345
Auto Determine IP: ON
Automatically Determine DNS: OFF (couldn't get to work when set to ON)
Primary DNS: 10.2.3.4
DNS Suffix: test.com
Automatically Determine Algorithm: ON
IKE Lifetime (Seconds): 86400
IPSec Lifetime (Seconds): 10800
NAT Keep Alive (Seconds): 30
DPD Frequency (Seconds): 240
Disable Banner: OFF
Use Proxy: OFF

newbie1975

I also have a Blackberry Z10 (10.2.1) but I am unable to establish a ipsec connection with my router (2.1-RELEASE (i386)). I have followed every step, but was not succesfull. After some time trying to connect I received a time out on the Blackberry.

https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 does not mention how to set up "Extended Authentication (Xauth)" on the Mobile clients tab. I have used "Local Database" (only available option) for User Authentication and "system" for Group Authentication. I have replaced "Primary DNS: 10.2.3.4" with my dns forwarder 192.168.1.1. (also tried with Opendns).

Then tried adjusting many setting without succes such as:

• enabled and disabled "Provide a DNS server list to clients" with 192.168.1.1
• enabled and disabled "Enable DPD" on phase 1

Any help would be much appreciated. I am very curious if your settings still work. Maybe we can exchange screenshots (of pfsense and Blackberry setting)?

Below more details (ipsec log).

Feb 23 23:14:22 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Feb 23 23:14:22 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Feb 23 23:14:22 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 23 23:14:22 racoon: INFO: Resize address pool from 0 to 253
Feb 23 23:14:22 racoon: [Self]: INFO: XX.XXX.180.6[4500] used for NAT-T
Feb 23 23:14:22 racoon: [Self]: INFO: XX.XXX.180.6[4500] used as isakmp port (fd=13)
Feb 23 23:14:22 racoon: [Self]: INFO: XX.XXX.180.6[500] used for NAT-T
Feb 23 23:14:22 racoon: [Self]: INFO: XX.XXX.180.6[500] used as isakmp port (fd=14)
Feb 23 23:14:24 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Feb 23 23:14:24 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Feb 23 23:14:24 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 23 23:14:24 racoon: INFO: Resize address pool from 0 to 253
Feb 23 23:14:24 racoon: [Self]: INFO: XX.XXX.180.6[4500] used for NAT-T
Feb 23 23:14:24 racoon: [Self]: INFO: XX.XXX.180.6[4500] used as isakmp port (fd=19)
Feb 23 23:14:24 racoon: [Self]: INFO: XX.XXX.180.6[500] used for NAT-T
Feb 23 23:14:24 racoon: [Self]: INFO: XX.XXX.180.6[500] used as isakmp port (fd=22)
Feb 23 23:14:24 racoon: INFO: unsupported PF_KEY message REGISTER
Feb 23 23:14:24 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Feb 23 23:14:24 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Feb 23 23:16:03 racoon: [Self]: INFO: respond new phase 1 negotiation: XX.XXX.180.6[500]<=>XX.XX.45.186[500]
Feb 23 23:16:03 racoon: INFO: begin Aggressive mode.
Feb 23 23:16:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 23 23:16:03 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 23 23:16:03 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 23 23:16:03 racoon: INFO: received Vendor ID: DPD
Feb 23 23:16:03 racoon: [92.69.45.186] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Feb 23 23:16:03 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 23 23:16:03 racoon: [92.69.45.186] INFO: Hashing XX.XX.45.186[500] with algo #2 (NAT-T forced)
Feb 23 23:16:03 racoon: [Self]: [XX.XXX.180.6] INFO: Hashing XX.XXX.180.6[500] with algo #2 (NAT-T forced)
Feb 23 23:16:03 racoon: INFO: Adding xauth VID payload.
Feb 23 23:16:13 racoon: NOTIFY: the packet is retransmitted by XX.XX.45.186[500] (1).
Feb 23 23:16:23 racoon: NOTIFY: the packet is retransmitted by XX.XX.45.186[500] (1).

newbie1975

Got it working!

Exactly follow tutorials for Pfsense and Blackberry AND added following rules:

1. Allowed any on ipsec tab (already had that rule: was explicitly mentioned);
2. Added multiple NAT rules (outbound tab) for the new IPSEC subnet for WAN and Openvpn (figured this was needed as I have "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" enabled, as AON was needed for my Openvpn server to get working (router connects to privateinternetaccess via openvpn so all clients can benefit)
3. Allowed port 500 (ISAKMP) on wan tab
4. Allowed port 4500 (IPSEC NAT-T) on wan tab (needed?)

When I added number 2) I was able to establish VPN connection from my guest wifi (shielded from my LAN), but did not get it working on mobile connection (3G). When I added number 3) and 4) I was also able to establisch VPN connection from mobile data connection.

Next following days I will try to harden security (try disabling some nat rules of number 2) and disable 4) and see if connection is still working.

Any else have there Blackberry Z10 working with Pfsense? What settings do you use?

downtown

I got this working with the instructions by dguy and rules added by newbie1975.  Exception: item number 2 by newbie1975 didn't apply to my setup as I don't use Manual Outbound NAT.

One hitch:  When I tap the connection to connect on the BB10, I get the message: VPN connection [[i]Connection Name] requires additional information.  When I click Continue it works fine.

pfSense: 2.1.4-RELEASE
Blackberry: Z10 10.2.1.2977

newbie1975

@downtown: Do not recognise message "VPN connection [Connection Name] requires additional information". Some not mandatory information/settings must be missing on PfSense or Blackberry?

URL (https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0) recommends encryption algorithm AES 128 and hash algorithm SHA1 (both for phase 1 and 2). I have "upgraded" my PfSense settings AND Blackberry settings to AES256 and SHA256 (both for phase 1 and 2). All is working fine! I do not understand why the link mentions SHA1 (for phase 2 it even says SHA1 only) as I have read that SHA1 may have flaws and as SHA256 also seems to work fine for me.

===

Might not be the right forum for my following question, but I do not know any (other technically oriented) website for Blackberry connection/vpn issues.

Currently my Blackberry is configured to automatically connect to my router over vpn (ipsec) when mobile data is enabled, but not when using my home wifi (as PfSense is taking care of a vpn connection for all clients). Normally Blackberry first tries to connects to any known wifi networks and when not available it uses a mobile data connection. But it seems that this connection order is overruled when a vpn is configured to automatically connect (which I have configured with mobile data). Now I have to manually disable mobile data connection in order to use my wifi. Maybe somebody solved this minor inconvenience?

i68040

@newbie1975:

Any else have there Blackberry Z10 working with Pfsense? What settings do you use?

I use a BlackBerry Q10 and documented what I did to get this working here: http://boredwookie.net/index.php/blog/how-get-pfsense-ipsec-vpn-work-bb10/

The main things that I did differently than your configuration were:

• Configuring a Squid proxy so I can browse the internet when using the VPN
• Manually assigning the DNS Server in the device profile on my BlackBerry instead of relying on Mobile Settings (which didn't work)

newbie1975

After upgrading today to pfSense 2.2 my ipsec connection no longer works as expected. My mobile does connect, but no longer internet traffic is sent through the ipsec tunnel. All internet traffic is sent directly through my mobile 3g subscription. Seems related to: https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes

"Behavior changes where an incorrect configuration that worked before no longer will – There may be things that worked with racoon which were technically not configured correctly, but still worked. The only instance of this we’ve seen is for mobile IPsec clients, where Internet traffic could pass in some circumstances without having specified 0.0.0.0/0 as the local network in the mobile phase 2 configuration. If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0.0.0.0/0 as the local network."

I have changed my phase 2 local subnet from LAN to 0.0.0.0/0 but then my Blackberry Z10 will not connect anymore.

Also tried to switch from agressive mode to main mode:

Changes in behavior because of this change may trigger bugs in remote endpoints that weren't previously an issue. Those using racoon (pfSense 2.1.x and earlier, among a variety of other similar products) on remote endpoints with aggressive mode may encounter a bug in racoon related to NAT-D and aggressive mode. Any site to site IPsec VPNs using aggressive mode with racoon as a remote endpoint should change to main mode to prevent this from being an issue. Main mode is preferable regardless.

But this also does not work. My mobile will not connect anymore. Maybe related to: https://forum.pfsense.org/index.php?topic=87281.0
PSK does not seem to work with main mode?

Anyone have the same issues and maybe a solution in order to force all internet traffic from Blackberry 10 through ipsec tunnel?

downtown

@newbie1975

Same here.  Upgraded and now no connection.  I'm getting a timeout.  The logs say that I'm authenticated, but then I get a timeout.

newbie1975

I did roll back to 2.1.5. Currently 2.2 does not seem production ready regarding ipsec.

ThomasB

Could the problem be solved by the new 2.2.1 version?

Thanks!

newbie1975

No. Did not work for me on 2.2.1 or 2.2.2. I am not upgrading, staying with 2.1.5. There are still too much issues with ipsec on 2.2.1 / 2.2.2.

ThomasB

It seems that 2.2.4 is much better than the previous versions.

Has anyone tested the new scenario? Otherwise I'll give it a try.

newbie1975

Did not try. At the moment I do not have time for testing. I very curious about your testing! Are you going to test a direct upgrade of 2.1.5 to 2.2.4? Also very curious if ipsec ikev2 is working with BlackBerry.

Good luck with testing!

ThomasB

I will build a basic testing system with new hardware and a fresh 2.2.4 pfSense.

At the moment the only problem is that our dealer can't deliver the ordered hardware. So we (our company & the thread followers  :P) have to wait approximately two or three weeks.
Nevertheless I am quiet optimistic  :)

If there are any other tests or known issues or working systems (@ BlackBerry OS 10.3), please leave a note in this thread.

newbie1975

@ThomasB: any updates re your basic testing  system and Ipsec/BlackBerry VPN connections?

TKenny

FWIW, I just started with pfsense on version 2.2.4 and cannot get it to work either.

I tried the boredwookie tutorial and got the same results as others (ipsec log says its connected fine, it sends a packet to the IP assigned to the z10 and then the Z10 sits there until timeout).

version 2.2.4 has an option in Phase 1 for key exchange version which I tried with 2 (I'm a newb but I assume that means Ikev2) and I get the exact same result when i try to connect with a generic IkeV2 profile with the Z10.

I may just redo my pfsense with version 2.1.5 since the rest of you seem to have  it working there.  What version of firmware are you guys using on your bb devices?  I can just see an update breaking it on the BB side too :(

Only other thing I notice is that while the BB is timing out it doesnt have the IP address the ipsec log says was assigned to it, so that might be a clue.

TKenny

OK, I have IPSec Ikev2 with PSK authentication working on pfsense 2.2.4 on my Z10 STL100-3 with software version 10.3.2.2474.

It works on my cell data connection as well as when Im on wifi in the same room as my router.

I consider this an intermediate step on the way to using certificates instead of PSK which I hope to get working soon.

A little about my (newb) setup:

Domain is:
pfsense.mydomain.com

gateway is 192.168.0.0 so router is at 192.168.0.1
I also run open vpn and that is set to use 10.10.8.0

I dont run a proxy server
I use NxFilter on a separate box as a DNS to do my ad filtering.
Someday I will connect my router to PIA to share its VPN with everyone but I don't need that yet.

Im just gonna post screenshots of my setup in the hope it helps people.  I guess they will come in after the text so I hope you can follow.  Anyone who has followed this thread will recognize all the screens anyway.

"Tunnels_1"

Note AES 256 is the highest I could do.  DH Key group can also only be 1024 bit which is a shame (see bit about logjam vuln here: https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations)

edit see my remarks at the end, you can do better than DH 1024bit.

User distinguished name is important and is used on the Z10 and in the Pre-shared keys later on.

"Tunnels_2"

Not much to say here.  I used 0.0.0.0 for local network like everyone else does.
I set my Phase 2 encryption options to match what was in phase 1.

"MobileClients"

Note the network setting.  I use 10.10.8.0 for openvpn so I used 10.10.7.0 here.

"Presshared Keys"

Note Identifier is the same as distinguished user name from phase 1

I found if I had more than one entry here I couldn't connect on my BB but that may be a fluke.

"AllowAllIPSECRule"

Just the same rule everyone else on this thread is using.  I log it so I can diagnose.

"NAT_outbound"

The "IPsec home vpn" one is from bored wookie's tutorial but I dont seem to need it so I have it disabled.

Note in the automatic rules below, 10.10.7.0 appears in both rules.  I think this was added automatically by the earlier setup but it needs to be there.

"various IMG files":

Whip out your Z10 or (hopefully) other BB device.  You will add a VPN connection for gateway type: "Generic Ikev2 VPN Server"

The important thing is you will enter the distinguished user name and key from the Pre-shared keys page in two places (Authentication ID and gateway).  Why?  I dont know.  My advice it worth what you are paying for it and maybe this leaves some raging security hole.  Use PSK for both Auth types as shown

You must specify your own DNS.  8.8.8.8 (google dns) works fine if you cant think of anything else. I think maybe you can just enter your gateway if you don't have your own DNS (in my case that would be 192.168.0.1)

I had a hard time with this DNS part during my fiddling about.  I think the Z10 is caching the DNS queries making it hard to figure out when its calling a particular server.  It looks like if you make a new private browsing window on your BB device each time you test your connection, you won't get misleading results.

Here are three screenshots covering the entire setup.  Try not to misspell your connection name like I did because  you cant change it later.  :P

"Log"

Here is a screenshot of the IPSec log for a successful login.  Note that about 5 rows down its asking for certificates.  Don't know why thats happening but hopefully its not effecting anything.  Actually its probably because I used a domain name when I setup the connection in the Z10.

I hope this helps some of you.  I was about ready to throw my (otherwise well liked) Z10 out the window.

I doubt I can help much with anyone else's setups but if I have ideas to share I will.

Next I will work on certificates…

edit  Looks like you gotta be logged in to see the images.  Hope they work for others

edit The VPN connection seems to bag on my battery like crazy during the day.  It reminds me of the days before push email, so I edited the Dead peer connection settings in phase 1 to run every 600 seconds instead of every 10.  Made the same change on the Z10 vpn config and battery usage seems better.

edit Turns out you can vastly increase cipher,hash and DH group values after all.  The problem is the Z10 won't detect them automatically so you have to enter them manually.  I have AES 256 cipher on Phase 1 and 2, SHA384 on Phase 1 and 2 and DH Group 21 on phase 1 and 2.  The only interesting thing is on the Z10 with that config you must set IKE PRF to HMAC-SHA384 (there doesnt seem to be a counterpart to that value on the pfsense side).  Otherwise the rule is "make stuff match as you change values".  I'm out of my depth knowing how high these values need to be but I guess SHA 384 is "quantum computing resistant" which sounds pretty cool.

I doubt I will push through with certs.  Its a security concern to send a PSK password the way I have it setup now but I am just one man who wants to access his router.  Im sure it can be done and I will throw some links below to those who want to try.  In the short time I worked on it I noticed that I could not get access to the "certs" folder on my Z10 which was OK because I could drop the p12 formatted cert into my documents folder and import from there but the pfsense wizard makes certs with no password and the Z10 wont let you not enter a password.  So I think you gotta go command line to make the cert and I doubt I have the time.

Anyway I was cheating off these links for those who want to push on:

Theory:
https://market-ticker.org/akcs-www?post=220395

How to get client certs onto Z10 (couldnt get this to work myself):
https://support.globoplc.com/support/index.php?/Knowledgebase/Article/View/1364/0/client-certificates-on-blackberry-10-devices

pfsense specific instructions for android that you can integrate with the information above:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Certificate_Authority

I think and will do my current setup until I get another phone.

Very sad to see the only truly secure phone vendor end up this way :(


newbie1975

Yesterday I upgraded from 2.1.5 to 2.2.5*. As experienced before I expected the ipsec connection (ikev1) not to work with BlackBerry anymore after the upgrade. Afterwards very happy that I tried, because it did not break! The BlackBerry still connected and was able to surf the internet! Do not understand. But something must have changed. Maybe during 2.2 to 2.2.5 on pfSense. Maybe on BlackBerry (currently on 10.3.2.2474). Also do remember to have changed local subnet in phase 2 from LAN to 0.0.0.0/0 when trying to get the ipsec working on 2.2. upgrade. So above mentioned instruction for pfSense and BlackBerry using ipsec (ikev1) still seem valid!

Also tried IKEv2 as described by TKenny. Also did work! Thank you for your post!

I like to be better safe then sorry, so hopefully somebody does have some answers on some of the (security) question I have:

1. TKenny mentions: "Its a security concern to send a PSK password the way I have it setup now" Why is that? Only because all client are using the same PSK? So, if one client is compromised all are? Or are there other security issues with this set up? I do use a long/safe passphrase for PSK.
2. TKenny mentions DH group 21, which is nist-ecb521. I believe ECC is mentioned regarding NSA documents (I am not sure, not being a crypto expert). Also NSA itself seems to step away from ECC:  http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html. Therefore I am using a non-ecc option.
3. Can anybody enlight me about using the same PSK on the BlackBerry (for "preshared key" and "gateway preshared key"). I do not understand the difference (and if it does has effect on security). Is it possible to use different PSK (each for a different user)? Anybody already tried?
4. Would love to hear from somebody a working PKI certificate solution. Might give it a try when I have more time based on the work and links already provided by TKenny.
5. In contrast to TKenny I have enabled MOBIKE. Hope this has effect on keeping the vpn connection alive. Currently I do experience rather quick vpn-disconnections (every few minutes I have to manual reconnect). EDIT1

Currently I am in doubt to continue to use IKEv2 as I do miss the ability to individually authenticate multiple BlackBerry users as Xauth + mutual PSK on BlackBerry is only offered with the IKEv1 (Cisco Secure PIX Firewall) version (although I do understand that the aggressive mode I am using in IKEv1 is a security flaw also to be avoided).

---

With the current possibilities and security issues and my need for multiple BlackBerry users to connect which should I favor for the time being: IKEv1 or IKEv2?

---

• Might help somebody: before upgrading this time I did follow instructions and first removed all packages. That helps! Not a instruction but seems to help when you are on location: first disabled all openvpn/ipsec server/client connections and afterwards did enable the server/client vpn connnetions.

EDIT1: DPD Frequency did not match on pfSense with BlackBerry. Adjusted both to 240 seconds. Now it does not disconnect every few minutes.

TKenny

Newbie1975: "Yesterday I upgraded from 2.1.5 to 2.2.5*"

I was thinking about this thread when I saw that 2.2.5 was released because it seems like they did a lot of work on IPSEC from the release notes:

https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes

.. Especially the line: "Brought back "auto" IKE version and fixed problems with its previous implementation."

Newbie1975:"Also tried IKEv2 as described by TKenny. Also did work!"

You gave me the courage to upgrade my pfsense.  At first I could connect but no network traffic got through.  Lots of cursing and reboots and a long sleep and it just seems to be working again.  Pfsense likes to take its time to chew on things when you make changes which makes setup frustrating.  I notice that if I specify the DNS server on the BB now, internet doesn't work but if I set it to auto it does work.  Weird.  I specify the DNS in the Mobile Client setup which means things are working a little bit more like you would expect I guess.

I should have taken your advice about shutting down the services before upgrade.  Maybe things would have gone better for me.

Newbie1975: "Its a security concern to send a PSK password the way I have it setup now"

I should have worded that better and said: "I'm concerned about only using 1 shared key in my setup".  I have no idea what kind of dangers I am creating by allowing this and I have the same concerns Newbie1975 does.

Newbie1975: "Can anybody enlight me about using the same PSK on the BlackBerry (for "preshared key" and "gateway preshared key")."

this

I worry about it too.  Did you try just adding another pre-shared key in the pfsence ipsec setup area?  If I just add the key and restart the service, the BB won't log in anymore.  Just the existence of the key messes things up.  I don't understand whats happening there at all.

I managed to set my DPD to 1200 seconds (in the hope it would save battery somehow) and at least on 2.2.4 it seemed to stay connected for a long long time.  As you mentioned, you gotta match on the BB and pfsense side or it won't work.  It seemed like I could change NAT keep alive to 90 or even 120 seconds but my results there have been more mixed.    My battery seems to have started losing charge fast with or without vpn so I have some new batteries coming in the mail from crackberry (they are cheaper on ebay but I worry about fakes).

I'm sure with some elbow grease the cert authentication can be made to work.  In fact I may have to try again because I am messing around with putting a cyanogen rom on an old android phone and the open VPN doesn't work on it for lack of a tun driver.  Because I cannot support two clients with the IKEv2 setup described I may have to work some more :)  I think it will come down to making the cert in the command line on pfsense so it can have a password so you have something to enter into the BB.  What a needless pain in the ass…

newbie1975

@TKenny:

I notice that if I specify the DNS server on the BB now, internet doesn't work but if I set it to auto it does work.  Weird.  I specify the DNS in the Mobile Client setup which means things are working a little bit more like you would expect I guess.

I have disabled "Automatically determine IP" on the BlackBerry and provided my pfSense internal IP (192.168.1.1). Seems to work on my mobile data. Still has to verify this on other wifi network. But shouldn't make a difference.

@TKenny:

Did you try just adding another pre-shared key in the pfsence ipsec setup area?  If I just add the key and restart the service, the BB won't log in anymore.  Just the existence of the key messes things up.  I don't understand whats happening there at all.

Did you also use a different Identifier on pfSense and the second BlackBerry? I will try when I have more time. Then trying will be learning  ;) Will share when I know more.