VPN: Blackberry VPN Client Support
The built in BlackBerry VPN client uses AES-128, SHA1, IKE DH Group 5 (for low CPU powered devices) and PFS. See pages 271-274 in http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf . What is not defined in this is are the IKE and IPSec SA Lifetimes, and the PFS group used. Currently Astaro's IPSec remote access GUI does not support IKE DH Group 5. However, Astaro (I think) uses StrongSwan for the underlying VPN functionality on ASG - which already supports IKE DH Group 5.
So this feature request is to
1. Enable the support of IKE DH Group 5 in the Astaro GUI for IPSec remote access.
2. Find the correct settings for IKE and IPSEC SA lifetimes - and add these to the GUI if needed.
3. Find the correct setting for the PFS group - and add these to the GUI if needed.
4. Finally, to create a Blackberry VPN tab to go alongside the iPhone VPN tab.
This feature would save customers having to buy a Cisco (or other competitive VPN box) to get their Blackberry handhelds VPN-connected. It would save customers having to pay large money for a Blackberry Enterprise Server. It would give both BlackBerry and iPhone VPN support. It would be a very nice selling point. Add in Android support - and we have a very compelling VPN story that plays into the explosion of handheld devices.
This feature is very consistent with Astaro's product development strategy - to be the UTM of choice because it provides businesses with a large breadth of sensible features that save them from purchasing more fully featured and expensive solutions - like the wireless is.
The reasons I can think of to do this
a) Blackberry is targeted at the business marketplace, and Astaro can only benefit from this.
b) Handhelds continue to grow in use and importance, and Astaro can only benefit from this.
c) Handheld security is almost a contradiction in terms, and Astaro is a security solution - and customers can only benefit from this.
d) I have customers who use Blackberries and one who needs this.
But perhaps the most important reason, it is a doddle to sell on the back of this feature, if we can make it work.
And there in lies the rub, as they say.
All the best, Adrien.
i posted an article about the VPN configuration of the Z10 with Astaro ASG V8. It is written in german.
Was this ever fixed, we have Sophos UTM 8 and want to VPN with our BlackBerry Playbooks and the new Z10 phone. Any help here would be appreciated.
p.s. the new BlackBerry Z10 phone is amazing, best phone on the market !
Elmar Haag commented
My testings also showed that the usage of aggressive mode seems to be hard-coded in the BB software and I found no way to disable aggressive mode. However, aggressive mode is not supported by ASG and (I believe) also not by StrongSWAN. So that´s the point there.
Adrien Belcourt commented
Thankyou ellell. Your correction is good. NEED Group 7 (elliptic curve cryptography). I could not find any reference to Aggressive Mode. Is it mandatory for BlackBerry clients? Love further details.
Thanks in advance, Adrien.
I assume that you are looking for IKE DH Group 7? Group 5 is already available in ASG... Furthermore missing Aggressive Mode in ASG could be a problem.
Adrien Belcourt commented
Ahh, forgot to link in the StrongSwan feature page. Interesting reading. See below: