Hi Yuri, Thanks for this information, which definitively don't simplify the task... :-( My BB OS is 10.3.2.2836 Yes, I spent a lot on crackberry.com and other VPN-BB implementation sites, unfortunately I didn't succeed for now. :-(
I'm bit surprised relative to VPN IP6, because I can see some incoming traffic on my Raspberry. My VPN is behind my NAT-Router I will try to fix the current issue for now, because to switch to IPV6 might to be a big challenge for me. Jul 19 14:43:57 raspberrypi charon: 16[CFG] selected peer config 'BB10' Jul 19 14:43:57 raspberrypi charon: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x0F) Jul 19 14:43:57 raspberrypi charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jul 19 14:43:57 raspberrypi charon: 16[IKE] no private key found for 'ckl.freeboxos.fr' Regards Christian 2016-07-19 17:16 GMT+02:00 Yuri D <p_p...@mail.ru>: > Hi! > > So, as You have BB device, You can find good how-to on crackberry.com for > PSK-based VPN IPv4 with Strongswan. That how-to about Amason service, not > Raspberry device, but You can transfer it with ease. I tested it and it > works definitely. > Another thing You should to keep in mind - BB OS 10.3.0 and upper uses IPv6 > for its services, so simple IPv4 shuts down everything from BBM voice to BB > Link and Blend. > So, You have 2 ways: > 1) You can stay on OS 10.2 and You'll be ready to use everything with IPv4 > or > 2) You must to expand VPN to IPv6 for OS 10.3 > > Regards, > Yuri > > ----- Исходное сообщение ----- > От: "Tobias Brunner" <tob...@strongswan.org> > Кому: "Christian Klugesherz" <christian.klugesh...@gmail.com> > Копия: <Users@lists.strongswan.org> > Отправлено: 19 июля 2016 г. 16:21 > Тема: Re: [strongSwan] VPN with preshared Key between BB10 andRaspberry-Pi > > >> Hi Christian, >> >> > Nevertheless, by removing: `eap_identity` I got the same result. >> >> You might need it, but that depends on the client. >> >> > On basis, I wanted to use StrongSwan as simple as possible without >> > certificates CA. >> >> That probably won't work as authenticating clients with EAP requires >> authenticating the server with a certificate to be standard-compliant >> (RFC 7296, section 2.16). strongSwan can be configured to combine EAP >> with PSK authentication. But that's not recommended, as anybody knowing >> it could impersonate the server, and most other implementations probably >> don't support this combination. Using EAP-only authentication is also >> possible, if supported by the peer, but that calls for a strong mutual >> EAP method like EAP-TLS (EAP-MSCHAPv2 is not one). >> >> > Does that mean that in any case, you have to set-up a CA in order to >> > use strongSwan ? >> > Even with a VPN IKEv2 with preshared Key ? >> >> No. If the client supports it you could, of course, use plain PSK >> authentication (i.e. without EAP). Even though it's not recommended for >> larger roadwarrior deployments (again, anybody knowing the PSK could >> impersonate the server). >> >> Setting up a simple PKI (one CA certificate, one server certificate) is >> quite easy (see previous link). You could also use a free certificate >> from Let's Encrypt or StartSSL, which your client might already trust, >> which would relieve you from having to install your own CA certificate >> on the clients. >> >> Regards, >> Tobias >> >> _______________________________________________ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users