Hi,
Have working setup with OpenIKEd and Win7 machine in part of IPsec link
negotiating by using IKEv2 and MSCHAP-v2. Using certificate and 2048 key
in *.P12 form.
10.0.20.0/24 is local network
10.0.10.0/24 is IPsec network
DNS server is 10.0.20.1
/etc/iked.conf is:
ikev2 "winauth" passive esp \
from 10.0.20.0/24 to 10.0.10.0/24 \
local IP_of_server peer any \
srcid myserver.domain \
eap "mschap-v2" \
config address 10.0.10.10 \
config netmask 255.255.255.0 \
config name-server 10.0.20.1 \
# ikesa auth hmac-sha1 enc 3des group modp2048 \
# childsa auth hmac-sha1 enc aes-256 group modp2048 \
tag "$name-$id"
The server machine has working PF with some rules to allow traffic over
ports {isakmp, ipsec-nat-t} and both protos {ah, esp}.
While IPsec between Win7 and server has established, can ping DNS server
only. No other traffic can pass in this stage of setup encrypted connection.
But my question is below and about connection setup between BB OS 10.3.1
and iked only.
Trying to do the same setup with BlackBerry 10.3.1 OS using the same
/etc/iked.conf just another user certificate and 2048 key in *.P12
(*.PFX) form have been imported into BB phone and installed in phone's
Certificate storage. All seems to be going fine since than but no.
The Profile to make IPsec VPN on BB phone is:
---------------------------------------
Server address: IP_of_server
Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN
Server, but unsuccessful too)
Auth Type: EAP-MSCHAPv2
Authentication ID Type: FQDN
Auth ID: myserver.domain
MSCHAPv2 EAP Identity: username
MSCHAPv2 EAP Identity: username
MSCHAPv2 Password: userpass
Gateway Auth Type: PKI
Gateway Auth ID Type: FQDN
Gateway Auth ID: myserver.domain
Allow Untrusted Cert: Prompt
Gateway CA Cert: CAmyserver.domain.name
Perfect Forward Secrecy: set_to_YES
Auto IP: set_to_YES
Auto DNS: set_to_YES
Auto Determine Algorithm: set_to_YES
IKE lifetime in Sec.: 86400
IPSec Lifetime: 10800
NAT Keep Alive: 30
DPD Frequency: 240
Use Proxy: set_to_NO
-----------------------------
Once trying to connect to server with running iked -dvv options using BB
phone - the result from iked:
...
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 240
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical
0x00 length 19
ikev2_pld_id: id FQDN/myserver.domain length 15
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message
The same connection works fine between Win7 and iked. Log of iked is below:
...
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
length 28
ikev2_pld_auth: method SHARED_KEY_MIC length 20
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00
length 32
ikev2_pld_cp: type REPLY length 24
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x84ea51d8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255
ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500,
212 bytes, NAT-T
pfkey_sa_add: update spi 0x84ea51d8
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8
pfkey_sa_add: add spi 0xcfea0559
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559
ikev2_childsa_enable: loaded flow 0x20527e400
ikev2_childsa_enable: loaded flow 0x204a56800
sa_state: EAP_VALID -> ESTABLISHED from IP_of_client:4500 to
IP_of_server:4500 policy 'winauth'
Please advice.
Thank you in advance.
Denis
