Last Updated on 2016-02-15.
[:en]First, install Ubuntu. E.g. v14.04 LTS, server edition, as a virtual machine, with static LAN IP.
Run these commands to install StrongSwan:
apt-get update apt-get install strongswan apt-get install strongswan-plugin-eap-mschapv2
Firewall settings:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu apt-get install iptables-persistent
After installing iptables-persistent, confirm to save the current rules when finishing the wizard.
Open /etc/sysctl.conf with vi or nano and modify or add these lines:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.proxy_arp = 1 net.ipv4.conf.default.arp_accept = 1 net.ipv4.conf.default.proxy_arp_pvlan = 1
Move ipsec.conf and strongswan.conf original files:
sudo mv /etc/ipsec.conf /etc/ipsec.conf.backup sudo mv /etc/strongswan.conf /etc/strongswan.conf.backup
New content for /etc/ipsec.conf:
config setup
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=xxx.xxx.xxx.xxx #your external ip
right=%any
rightsourceip=192.168.2.1/29 #(if behind router check your router ip MUST be different, my router ip is 192.168.10.1)
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
New content for /etc/strongswan.conf:
charon {
threads = 16
dns1 = 208.67.222.222 #(you can choose yours)
dns2 = 208.67.220.220
}
pluto {
}
libstrongswan {
}
New content for /etc/ipsec.secrets:
: PSK "FREE_CHOICE1" #(Gateway Preshared Key) alice : EAP "FREE_CHOICE2" #(MSCHAPv2 Username) bob : EAP "FREE_CHOICE3" #(MSCHAPv2 Password)
Configure your firewall / router: Open incoming UDP ports 500 and 4500 to be redirected to your VPN server’s local IP address.
Open your BB10 mobile’s connection settings and create a new VPN profile:
| Profile Name | (free choice) |
| Server Address | your public IP or domain |
| Gateway Type | Generic IKEv2 VPN Server |
| Authentication Type | EAP-MSCHAPv2 |
| Authentication ID Type | E-Mail (can be anything) |
| MSCHAPv2 EAP Identity | (can be anything) |
| MSCHAPv2 Username | alice (username in ipsec.secrets) |
| MSCHAPv2 Password | FREE_CHOICE2 (alice’s password in ipsec.secrets) |
| Gateway Auth Type | PSK |
| Gateway Auth ID Type | IPv4 |
| Gateway Preshared Key | (PSK password in ipsec.secrets) |
Leave the default values for the other settings.
For testing, make sure you have disabled your local WiFi access.
Reference[:]
Thank you for the article! It works perfect!
P.S.
You have one extra space in the /etc/ipsec.conf section. ” conn rem” gives an error, should be changed to “conn rem”.
Maybe it will be better to use “192.168.2.1/24” instead of “192.168.2.1/29”. But it is up to an administrator.
If you want to have multiple connections for the same user\password, you have to add “uniqueids=never” to “config setup” section in /etc/ipsec.conf