Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

VPN: Blackberry VPN Client Support

The built in BlackBerry VPN client uses AES-128, SHA1, IKE DH Group 5 (for low CPU powered devices) and PFS. See pages 271-274 in . What is not defined in this is are the IKE and IPSec SA Lifetimes, and the PFS group used. Currently Astaro's IPSec remote access GUI does not support IKE DH Group 5. However, Astaro (I think) uses StrongSwan for the underlying VPN functionality on ASG - which already supports IKE DH Group 5.

So this feature request is to
1. Enable the support of IKE DH Group 5 in the Astaro GUI for IPSec remote access.
2. Find the correct settings for IKE and IPSEC SA lifetimes - and add these to the GUI if needed.
3. Find the correct setting for the PFS group - and add these to the GUI if needed.
4. Finally, to create a Blackberry VPN tab to go alongside the iPhone VPN tab.

This feature would save customers having to buy a Cisco (or other competitive VPN box) to get their Blackberry handhelds VPN-connected. It would save customers having to pay large money for a Blackberry Enterprise Server. It would give both BlackBerry and iPhone VPN support. It would be a very nice selling point. Add in Android support - and we have a very compelling VPN story that plays into the explosion of handheld devices.

This feature is very consistent with Astaro's product development strategy - to be the UTM of choice because it provides businesses with a large breadth of sensible features that save them from purchasing more fully featured and expensive solutions - like the wireless is.

The reasons I can think of to do this
a) Blackberry is targeted at the business marketplace, and Astaro can only benefit from this.
b) Handhelds continue to grow in use and importance, and Astaro can only benefit from this.
c) Handheld security is almost a contradiction in terms, and Astaro is a security solution - and customers can only benefit from this.
d) I have customers who use Blackberries and one who needs this.

But perhaps the most important reason, it is a doddle to sell on the back of this feature, if we can make it work.

And there in lies the rub, as they say.

All the best, Adrien.

37 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Adrien BelcourtAdrien Belcourt shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • HaTaXHaTaX commented  ·   ·  Flag as inappropriate

        The German article posted up at the top is a good article on how to setup the BlackBerry 10 device, but it's not entirely clear what's needed on the ASG / UTM side.

        I've got it working perfectly using the "Cisco VPN Client" section in UTM, you just setup your allowed users and local networks you want exposed and enable it. Leave the server certificate as the "Local" certificate, and set the interface to your WAN connection. Also you can change your default IP pool used to assign to remote clients. Most of that can be left at default.

        Then you need to export 2 certificates from the ASG / UTM WebAdministration and get them to your BlackBerry 10 device. You need the user's certificate as well as the "VPN Signing CA" certificate that's under the "Certificate Authority" tab. Get them onto your BB10 handheld by whatever means and import them in Settings -> Security -> Certificate.

        After the certificates are imported, and your Cisco VPN Client settings are all setup on the ASG / UTM you just need to make a VPN profile on the BB10 device. Go to Networks -> VPN and add a connection.
        Gateway Type: Cisco Secure PIX Firewall VPN
        Authentication Type: XAUTH-PKI
        CA Certificate: (CA certificate imported above, home use is called 'Home User VPN CA')
        Client Certifcate: (Users certificate imported above)

        Then just enter the user's username and password and away you go.

        Has worked quite well for me!

      • PAulPAul commented  ·   ·  Flag as inappropriate

        Hi folks,

        Was this ever fixed, we have Sophos UTM 8 and want to VPN with our BlackBerry Playbooks and the new Z10 phone. Any help here would be appreciated.

        p.s. the new BlackBerry Z10 phone is amazing, best phone on the market !


      • Elmar HaagElmar Haag commented  ·   ·  Flag as inappropriate

        My testings also showed that the usage of aggressive mode seems to be hard-coded in the BB software and I found no way to disable aggressive mode. However, aggressive mode is not supported by ASG and (I believe) also not by StrongSWAN. So that´s the point there.

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        Thankyou ellell. Your correction is good. NEED Group 7 (elliptic curve cryptography). I could not find any reference to Aggressive Mode. Is it mandatory for BlackBerry clients? Love further details.

        Thanks in advance, Adrien.

      • ellellellell commented  ·   ·  Flag as inappropriate

        I assume that you are looking for IKE DH Group 7? Group 5 is already available in ASG... Furthermore missing Aggressive Mode in ASG could be a problem.



      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.