BlackBerry Z10 & Mobile IPsec on 2.1 WORKING!

TKenny

Newbie1975: "Did you also use a different Identifier on pfSense and the second BlackBerry?

This was just me trying to have a second Pre shared key defined in pfsense. Not even using it for anything yet and it would break the login from the BB phone. No difference in the ipsec log file either. It showed everything was running smoothly but the BB would give authentication error.

Anyway I spent way to much time monkeying around with certs today with nothing to show for it. I dont know if it can be made to work. I know more than I did but not enough to share much useful :(

I did play more with this "multiple users" problem and here is what I came up with on my one phone.

See the screenshots:

Here are some preshared keys. I will use another@mydomain.com for the example.

Then look at the phase 1 setup screenshot. I use a user named judy@mydomain.com there. Thats not a pfsense user or a preshared key, its just a name I typed in that box

Then in BB setup, you can see I have another@mydomain as the user and judy@mydomain for the gateway. The wrinkle is pfsense doesnt seem to give me anywhere to enter the password for judy. In the BB you have to use the same password for judy@mydomain.com that you use for another@mydomain.com (jjjjj in this case) and it will connect. Anything else I tried and it wont connect.

Later you can switch the "Authentication ID" in the BB to bbUser@mydomain.com (remember to change password to iiiii for both them and judy@mydomain.com in "Gateway Auth ID" as well for the example to work).

So that gets you multiple users with IkeV2 but you are still only using one password for each user for some reason with no password on the gateway. I tried changing Phase 1 to "Mutual PSK + XAuth" but didnt have any luck yet. Maybe something can be done there.

Anyway, if I had another BB phone I would probably be able to show both another@mydomain.com and bbUser@mydomain.com logged in at the same time, so we are inching forward at least.

At this point, my main concern is getting both the BB and my old droid phone connected to vpn on pfsense somehow. I will go back to IKEv1 if I need to :) but hopefully I can work something out with IKEv2

Cheers.

![preshared keys.png](/public/imported_attachments/1/preshared keys.png)
![preshared keys.png_thumb](/public/imported_attachments/1/preshared keys.png_thumb)

phase1.png_thumb

BB.png_thumb

TKenny

Wanted to check in again to say that I haven't had any luck with certificate based connections.

I got something working between pfsense and Android using certs as outlined here and used what I learned to take another run at the blackberry:

https://forum.pfsense.org/index.php?topic=103650.0

Anyway for those looking to carry on, here are some notes from the trail:

The BB likes certificates in the .pem or .p12 format. But you can only export a CA cert from pfsense in .crt format. Just rename it and change the extension to .pem and the BB will import it :)
Next, the BB wants to know the password when you import a .p12 cert. Not entering one is not allowed by the BB and pfsense won't let you add one. I was working by exporting client certs in .p12 format and then converting the cert to .pem format using this:

https://www.sslshopper.com/ssl-converter.html

Obviously not cool for production systems, but fine for fiddling around. The page lists the linux command to do it on pfsense but then you will have to figure out how to get it off pfsense.
I could not for the life of me figure out how to get access to the "certs" folder in the BB's file system (I'm on the Z10 BTW) so I just put certs into the documents folder with a USB or wifi connection and in:

Setup => Security and Privacy => Certificates

.. you can import certs.
So I tried to connect using the certs I made for the Android phone (see earlier link). I figured I could use "Generic IKEv2 VPN" and use EAP-TLS for the Gateway type since thats what I did there. There is a Gateway Auth type selector in there as well that I dont have on the Android phone and I dont know what to put in there. It could be a simple PSK key. Or maybe even selecting "None" will work but I don't know because if I do…
When I try to log on it hangs for a while and then says, "timeout". The relevant log entry seems to be: generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] which seems to be a certificate problem and not with the client one either. I see things online about missing "serverAuth in EKU" causing this but I think its in my CA cert though Im not sure how to tell for sure. Maybe converting these certs causes a loss of data or renaming the .crt file to .pem above doesn't work as well as I think
If you go here:

https://market-ticker.org/akcs-www?post=220395

You can see a working solution involving certs and PSK. looking at his examples he has an ipsec.conf file with:

leftauth=pubkey
rightauth=psk

Which I cannot reproduce using the pfsense WEB UI.

If you were really desperate I bet you could hand edit the file, but pfsense will overwrite it. You could in theory do "chattr +i" on the file to stop it but man… thats just ugly...

I feel like Im real close with my approach though. It seems like there is just something wrong with the CA cert, but Im out of gas. Hopefully someone else will have some input :)

newbie1975

After upgrading to BlackBerry from 10.3.2 to 10.3.3. my vpn ikev2 connection (as described by TKenny on October 21, 2015, 11:34:40 pm) did not work anymore, although I did not change anything in the vpn setting (on BlackBerry or pfSense). Did get some authentication error, which I couldn't solve.

However, because I also had to upgrade my pfSense box from 32-bit to 64-bit in order to get the latest pfSense version, I tried again with my new acquired pfSense hardware box: just worked the first time after setting up pfSense and new vpn connection on BlackBerry.

So, just to confirm this set-up still works perfect (with BlackBerry 10.3.3 and pfSense 2.4.2)!