VPN: Blackberry VPN Client Support
The built in BlackBerry VPN client uses AES-128, SHA1, IKE DH Group 5 (for low CPU powered devices) and PFS. See pages 271-274 in http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf . What is not defined in this is are the IKE and IPSec SA Lifetimes, and the PFS group used. Currently Astaro's IPSec remote access GUI does not support IKE DH Group 5. However, Astaro (I think) uses StrongSwan for the underlying VPN functionality on ASG - which already supports IKE DH Group 5.
So this feature request is to
1. Enable the support of IKE DH Group 5 in the Astaro GUI for IPSec remote access.
2. Find the correct settings for IKE and IPSEC SA lifetimes - and add these to the GUI if needed.
3. Find the correct setting for the PFS group - and add these to the GUI if needed.
4. Finally, to create a Blackberry VPN tab to go alongside the iPhone VPN tab.
This feature would save customers having to buy a Cisco (or other competitive VPN box) to get their Blackberry handhelds VPN-connected. It would save customers having to pay large money for a Blackberry Enterprise Server. It would give both BlackBerry and iPhone VPN support. It would be a very nice selling point. Add in Android support - and we have a very compelling VPN story that plays into the explosion of handheld devices.
This feature is very consistent with Astaro's product development strategy - to be the UTM of choice because it provides businesses with a large breadth of sensible features that save them from purchasing more fully featured and expensive solutions - like the wireless is.
The reasons I can think of to do this
a) Blackberry is targeted at the business marketplace, and Astaro can only benefit from this.
b) Handhelds continue to grow in use and importance, and Astaro can only benefit from this.
c) Handheld security is almost a contradiction in terms, and Astaro is a security solution - and customers can only benefit from this.
d) I have customers who use Blackberries and one who needs this.
But perhaps the most important reason, it is a doddle to sell on the back of this feature, if we can make it work.
And there in lies the rub, as they say.
All the best, Adrien.
The German article posted up at the top is a good article on how to setup the BlackBerry 10 device, but it's not entirely clear what's needed on the ASG / UTM side.
I've got it working perfectly using the "Cisco VPN Client" section in UTM, you just setup your allowed users and local networks you want exposed and enable it. Leave the server certificate as the "Local" certificate, and set the interface to your WAN connection. Also you can change your default IP pool used to assign to remote clients. Most of that can be left at default.
Then you need to export 2 certificates from the ASG / UTM WebAdministration and get them to your BlackBerry 10 device. You need the user's certificate as well as the "VPN Signing CA" certificate that's under the "Certificate Authority" tab. Get them onto your BB10 handheld by whatever means and import them in Settings -> Security -> Certificate.
After the certificates are imported, and your Cisco VPN Client settings are all setup on the ASG / UTM you just need to make a VPN profile on the BB10 device. Go to Networks -> VPN and add a connection.
Gateway Type: Cisco Secure PIX Firewall VPN
Authentication Type: XAUTH-PKI
CA Certificate: (CA certificate imported above, home use is called 'Home User VPN CA')
Client Certifcate: (Users certificate imported above)
Then just enter the user's username and password and away you go.
Has worked quite well for me!
i posted an article about the VPN configuration of the Z10 with Astaro ASG V8. It is written in german.
Was this ever fixed, we have Sophos UTM 8 and want to VPN with our BlackBerry Playbooks and the new Z10 phone. Any help here would be appreciated.
p.s. the new BlackBerry Z10 phone is amazing, best phone on the market !
Elmar Haag commented
My testings also showed that the usage of aggressive mode seems to be hard-coded in the BB software and I found no way to disable aggressive mode. However, aggressive mode is not supported by ASG and (I believe) also not by StrongSWAN. So that´s the point there.
Adrien Belcourt commented
Thankyou ellell. Your correction is good. NEED Group 7 (elliptic curve cryptography). I could not find any reference to Aggressive Mode. Is it mandatory for BlackBerry clients? Love further details.
Thanks in advance, Adrien.
I assume that you are looking for IKE DH Group 7? Group 5 is already available in ASG... Furthermore missing Aggressive Mode in ASG could be a problem.
Adrien Belcourt commented
Ahh, forgot to link in the StrongSwan feature page. Interesting reading. See below: