Strongswan PSK IPsec IKEv2 VPN on Ubuntu 14.04 with Blackberry

This is a short guide on configuring Strongswan on Ubuntu 14.04 with pre-shared keys (PSK) for a Blackberry 10 device to connect with. Setting this up requires in-depth knowledge of networking and routing.

Install and configuring Strongswan:

sudo apt-get install strongswan

/etc/ipsec.conf

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=psk
config setup
        cachecrls=yes
        uniqueids=yes
conn default
    left=%any
    leftsubnet=10.7.100.0/24,192.168.0.0/24,0.0.0.0/0
    leftauth=psk
    right=%any
    rightauth=psk
    rightsendcert=never
    rightsourceip=10.7.100.10/30
    rightdns=8.8.8.8
    auto=add

/etc/ipsec.secrets

%any %any : PSK "yourGatewayPassword"
%any %any : PSK "yourUserPassword"

My server has one network interface connected to LAN and one interface connected directly to the internet. Both have internet routable gateways with the LAN gateway being the default. However, I will use the second interface for VPN connections so a second routing table is required for “same source routing” – allow internet traffic to respond through itself instead of routing through the LAN gateway by default. This may or may not be needed depending on the setup. The easier solution is to use the other gateway as default.

Configure same source routing:

sudo echo 2 ext >> /etc/iproute2/rt_tables

/etc/network/interfaces

# eth0/br0 config
# ...
auto eth1
iface eth1 inet dhcp
   # automatically set up routing table and rules on up and down
   post-up ip route add default via `grep routers /var/lib/dhcp/dhclient.eth1.leases | tail -1 | awk '/routers/ {print $3}' | sed 's/;//'` dev eth1 table ext
   post-up ip rule add from `grep fixed-address /var/lib/dhcp/dhclient.eth1.leases | tail -1 | awk '/fixed-address/ {print $2}' | sed 's/;//'` lookup ext
   post-down ip rule del lookup ext
   metric 10
sudo ifdown eth1
sudo ifup eth1

Configure Blackberry VPN profile:

Select General IKEv2 VPN server.

IMG_20150628_183531

References:
1. Advanced routing – http://www.rjsystems.nl/en/2100-adv-routing.php
2. Strongswan setup – http://www.math.ucla.edu/~jimc/documents/strongswan-1308.html
3. Strongswan Forwarding and Split Tunnelling – https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *