IPsec VPN for Blackberry Playbook on RV220W

phil_m_casey · ‎05-07-2011

I'm working on setting up my Blackberry Playbook to access the network over our IPsec VPN however so far I have had no luck.

I'm also posting this on the Blackberry playbook support forum.

Thanks for any help you may give me.

Settings on BlackBerry Playbook

Server Address: My IP Address

Authentication type: XAuth-PSK

Group Username: remote.com

Group Password: (Password)

Username: PCaseyIPsec

Password: (MyPassword)

Checked Automatically Determine IP

Checked Dynamically Determine DNS

Checked Perfect Forward Secrecy

Checked Manual Algorithm Selection (also tried Unchecked on Auto)

IKE DH Group: 2

IKE Cipher: 3DES

IKE Hash: SHA1

IKE PRF: HMAC

IPsec DH Group: 2

IPsec Cipher: 3DES

IPsec Hash: SHA1

IKE Lifetime (seconds): 28800

IPsec Lifetime (seconds): 3600

NAT Keepalive (seconds): 300

DPD Frequency (seconds):240

Checked Disable Banner (also tried unchecked)

unchecked Use HTTP Proxy

Settings On RV220W

IKE Policies Table

	Name	Mode	Local IP	Remote IP	Encryption	Authentication	DH
	Sundown6	Aggressive	local.com	remote.com	3DES	SHA-1	Group 2 (1024 bit)

VPN Policies Table

	Status	Name	Type	Local	Remote	Authentication	Encryption
	Enabled	Sundown6*	Auto Policy	192.168.0.0 / 255.255.255.0	Any	SHA-1	3DES

Logs

2011-05-07 01:39:14: [rv220w][IKE] INFO: Remote configuration for identifier "remote.com" found
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received request for new phase 1 negotiation: 76.21.2.248[500]<=>192.168.0.158[500]
2011-05-07 01:39:14: [rv220w][IKE] INFO: Beginning Aggressive mode.
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2011-05-07 01:39:14: [rv220w][IKE] INFO: Received Vendor ID: DPD
2011-05-07 01:39:14: [rv220w][IKE] INFO: For 192.168.0.158[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 76.21.2.248[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT-D payload matches for 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.158[500] because it is only accepted after phase1.
2011-05-07 01:39:15: [rv220w][IKE] INFO: NAT not detected
2011-05-07 01:39:15: [rv220w][IKE] INFO: Sending Xauth request to 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: ISAKMP-SA established for 76.21.2.248[500]-192.168.0.158[500] with spi:5127c3cf75f1f5d9:f65ff6a9995200c1
2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] INFO: Login succeeded for user "PCaseyIPsec"
2011-05-07 01:39:15: [rv220w][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 192.168.0.158[500]
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config
2011-05-07 01:39:15: [rv220w][IKE] ERROR: Local configuration for 192.168.0.158[500] does not have mode config

phil_m_casey · ‎05-09-2011

Anyone at all what to tell me what the error is at least?

qumartin · ‎05-19-2011

Phillip,

I am looking over your setting for both the blackberry and also the Rv220w. A few things that I do not see and I am wondering did you set these things up. First lets look at the Blackberry playbook:

Does it have the option for preshared key? if so this needs to be added

Second Rv220w setting:

Did you setup a Xauth user on the device under users?(VPN==>IPSEC Users)

Did you select Xauth on the rv220w under phase one of the tunnel to use the username and password you created. They should match the blackberry)

Did you enter a preshared key? and does it match the one that is located on the blackberry?

Sometimes you can have compatibility issues when connecting certain device together. Just make sure that you have all the fields to matchup because when connecting IPSEC it is very important that you have the same things on both sides of the IPSEC connection. This is not all the time a problem. Also I would not use aggressive mode just use main mode on the rv220w.

After making these change clear the log and see if you get different log message. The current log that you are getting is not getting pass phase 1. At this point it could be a number of things because I don't have all the information it is hard to guess when it comes to IPSEC connection.

Thanks

Quendale

phil_m_casey · ‎05-19-2011

Ok I think I need to update everyone and type up my settings I’ve tested this at my Wife’s school and a local coffee house and it worked. However I have not been able to get it working at my buildings free WIFI.
So this may not help everyone.

First the RV220W settings

Add / Edit IKE Policy Configuration

Policy Name:   AnythingYouLike
Direction / Type: Responder
Exchange Mode: Aggressive
Local
Identifier Type:   FQDN
Identifier:   local.com
Remote
Identifier Type:   FQDN
Identifier:   remote.com
IKE SA Parameters
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-Shared Key
Pre-Shared Key: YourPassword
Diffie-Hellman (DH) Group: Group2(1024 bit)
SA-Lifetime: 28800 Seconds
Dead Peer Detection: Enable NotChecked
Detection Period: (Range: 10 - 999) NA
Reconnect after Failure Count: (Range: 3 - 99) NA
Extended Authentication
XAUTH Type:   None
Authentication Type: NA
Username: NA
Password: NA

Add / Edit VPN Policy Configuration

Policy Name: AnythingYouLike
Policy Type: Auto Policy
Remote Endpoint: FQDN
     Remote.com
NETBIOS: Enable Not Checked
Local Traffic Selection
Local IP:   Subnet
Start Address:   192.168.44.0 (local ip range with 0 at end)
End Address: NA
Subnet Mask:   255.255.255.0
Remote Traffic Selection
Remote IP: Any
Start Address: NA
End Address: NA
Subnet Mask: NA
Split DNS
Split DNS: Enable NA
Domain Name Server 1: NA
Domain Name Server 2: (Optional) NA
Domain Name 1: NA
Domain Name 2: (Optional) NA
Manual Policy Parameters
SPI-Incoming: NA
SPI-Outgoing: NA
Encryption Algorithm: NA
Key-In: NA
Key-Out: NA
Integrity Algorithm: NA
Key-In: NA
Key-Out: NA
Auto Policy Parameters
SA-Lifetime:   3600
    Seconds
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
PFS Key Group: Enable Checked
    DH-Group 2(1024 bit)
Select IKE Policy: Select IKE Name From Above

Blackberry Playbook Settings

ProfileName AnyNameYouLike
Server Address: IPAddress (can check with whatismyip.com on same network as router)
Gateway Type Juniper VPN Series
Authentication type: PSK
Group Username: remote.com
Group Password: YourPassword (From ‘Pre-Shared Key:’ in Ike settings above)
Private IP 192.168.44.45 (pick ip from your local network)
Private IP Mask 255.255.255.0 (subnet mask of above ip)
Subnet 192.168.44.0 (same as ‘Start Address:’ in Ipsec settings above)
Subnet Mask 255.255.255.0 (subnet mask of ‘subnet’ IP address)
Checked Dynamically Determine DNS
Checked Perfect Forward Secrecy
Checked Manual Algorithm Selection (also tried Unchecked on Auto)
IKE DH Group: 2
IKE Cipher: 3DES
IKE Hash: SHA1
IKE PRF: HMAC
IPsec DH Group: 2
IPsec Cipher: 3DES
IPsec Hash: SHA1
IKE Lifetime (seconds): 28800
IPsec Lifetime (seconds): 3600
NAT Keepalive (seconds): 300
DPD Frequency (seconds):999

unchecked Use HTTP Proxy

There you have it enjoy Play around with the settings and let me know if you find anything that works better.

Thanks,
Phil

qumartin · ‎05-19-2011

If you are able to get connected from two differnent locations with the setting shown. There is no problem with the setting on either device. It could be a matter of the setting of the internet provider that you are connecting from. When dealing with free wifi a lot of the time there are more security setting in place that will cause the vpn tunnel not to connect. If ports are being block at this location that would cause you not to be able to connect. The setting you have are good if you can connect using the same setting from two different location. I would not make any setting change to the rv220w or the blackberry playbook. In the past when using free wifi some places I can connected from and other I can not. It depends on the provider they are using and how lock down is the device that you are connecting too also.

Please let me know if i am looking at this wrong and this is not your case. I hope this is helpful

Thanks

Quendale

phil_m_casey · ‎05-19-2011

No your right... It works now

and there can be more then a few things going on with the free WiFi

The oddest thing is that I got it working after a lot of trial and error and that none of the cisco clients worked just the Juniper VPN Series
client.

FYI the VPN clients it has are

Check Point Software Tech

Cisco VPN Gateway Type 3000

Cisco Secure PIX Firewall VPN

Cisco IOS Easy VPN Server

Cisco ASA

Juniper VPN Server

Microsoft IKEv2 VPN Server

Generic IKEv2 VPN Server

Thats why I posted all the settings after I got it working.

tvdm12000 · ‎01-14-2012

Hi,

I realize it has been a while since you posted this but I am running into a situation which you may be able to help with.

I have the same setup and have used your settings to connect my Playbook successfully to my VPN configured on a Cisco RV220W but am having problems browsing the internet and intranet while connected. The DNS is dynamically determined but I have tried setting the Primary DNS to the IP address of the RV220W as it also acts as the internet gateway for the work network. However, no luck in either case.

If there is anything you can shed some light on that would be great. If you have any suggestions on another good compatible router with VPN capability that would be great as well. I have a client that needs to upgrade their router and I am not sure the RV220W is the way I want to go for them.

Thank you.