First, install Ubuntu. E.g. v14.04 LTS, server edition, as a virtual machine, with static LAN IP.
Run these commands to install StrongSwan:
1 2 3 |
apt-get update apt-get install strongswan apt-get install strongswan-plugin-eap-mschapv2 |
Firewall settings:
1 2 3 |
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu apt-get install iptables-persistent |
After installing iptables-persistent, confirm to save the current rules when finishing the wizard.
Open /etc/sysctl.conf with vi or nano and modify or add these lines:
1 2 3 4 |
net.ipv4.ip_forward = 1 net.ipv4.conf.default.proxy_arp = 1 net.ipv4.conf.default.arp_accept = 1 net.ipv4.conf.default.proxy_arp_pvlan = 1 |
Move ipsec.conf and strongswan.conf original files:
1 2 |
sudo mv /etc/ipsec.conf /etc/ipsec.conf.backup sudo mv /etc/strongswan.conf /etc/strongswan.conf.backup |
New content for /etc/ipsec.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
config setup strictcrlpolicy=no conn %default keyexchange=ikev2 conn rem rekey=no leftsubnet=0.0.0.0/0 leftauth=psk leftid=xxx.xxx.xxx.xxx #your external ip right=%any rightsourceip=192.168.2.1/29 #(if behind router check your router ip MUST be different, my router ip is 192.168.10.1) rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=add |
New content for /etc/strongswan.conf:
1 2 3 4 5 6 7 8 9 10 11 |
charon { threads = 16 dns1 = 208.67.222.222 #(you can choose yours) dns2 = 208.67.220.220 } pluto { } libstrongswan { } |
New content for /etc/ipsec.secrets:
1 2 3 |
: PSK "FREE_CHOICE1" #(Gateway Preshared Key) alice : EAP "FREE_CHOICE2" #(MSCHAPv2 Username) bob : EAP "FREE_CHOICE3" #(MSCHAPv2 Password) |
Configure your firewall / router: Open incoming UDP ports 500 and 4500 to be redirected to your VPN server’s local IP address.
Open your BB10 mobile’s connection settings and create a new VPN profile:
Profile Name | (free choice) |
Server Address | your public IP or domain |
Gateway Type | Generic IKEv2 VPN Server |
Authentication Type | EAP-MSCHAPv2 |
Authentication ID Type | E-Mail (can be anything) |
MSCHAPv2 EAP Identity | (can be anything) |
MSCHAPv2 Username | alice (username in ipsec.secrets) |
MSCHAPv2 Password | FREE_CHOICE2 (alice’s password in ipsec.secrets) |
Gateway Auth Type | PSK |
Gateway Auth ID Type | IPv4 |
Gateway Preshared Key | (PSK password in ipsec.secrets) |
Leave the default values for the other settings.
For testing, make sure you have disabled your local WiFi access.
Thank you for the article! It works perfect!
P.S.
You have one extra space in the /etc/ipsec.conf section. ” conn rem” gives an error, should be changed to “conn rem”.
Maybe it will be better to use “192.168.2.1/24” instead of “192.168.2.1/29”. But it is up to an administrator.
If you want to have multiple connections for the same user\password, you have to add “uniqueids=never” to “config setup” section in /etc/ipsec.conf