Skip Navigation

Configuring the connection to the
BlackBerry 2FA
server on a strongSwan server

To configure connectivity to the
BlackBerry 2FA
server on a strongSwan server, you must modify the ipsec.conf and the eap-radius.conf files.
For more information about these files and how to configure strongSwan, visit https://www.strongswan.org/.

ipsec.conf configuration

The ipsec.conf file is located in the /etc directory. You must add a new “conn” section for the
BlackBerry 2FA
server. For example:
conn <name> keyexchange=ikev2 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add
Setting
Description
<name>
This is the unique name for the new connection section. It is a common practice for that name to reflect some key characteristics of the connection itself (for example, IPSec-IKEv2-radius).
keyexchange=ikev2
This setting specifies the key exchange method (for example, IKEv1, IKEv2). The
BlackBerry 2FA
server does not use this setting, but you must include it in the conn section to enable proper key exchange with VPN clients. You must make sure that the VPN clients that connect to the strongSwan server use the same key exchange method.
rightauth=eap-radius
This setting specifies that the strongSwan server must use EAP over RADIUS to authenticate VPN clients for this type of connection.
rightsendcert=never
This setting specifies that user certificates are not used for client authentication.
eap_identity=%any
This setting specifies the identity of the VPN client to use for authentication. The
BlackBerry 2FA
server does not use this setting, but you must include it in the conn section. The "%any" value instructs the strongSwan server to pass the identity provided by the VPN client.
auto=add
This setting specifies that this connection section is active. The
BlackBerry 2FA
server does not use this setting, but you must include it in the conn section.

eap-radius.conf configuration

The eap-radius.conf file is located in the /etc/strongswan.d/charon directory. It specifies the details for EAP over RADIUS authentication. The default configuration file has all the settings that you must configure, but most of them are commented out and some of them do not have any value assigned. You must modify the required settings by removing the number sign (#) and setting their values as described in the following table.
Setting
Description
accounting=no
This setting prevents strongSwan from sending RADIUS accounting information to the
BlackBerry 2FA
server.
nas_identifier
This optional setting specifies the NAS-Identifier to include in RADIUS messages. You can use this setting if multiple strongSwan servers are using the same
BlackBerry 2FA
server.
port=1812
This setting specifies the port used by the
BlackBerry 2FA
server to receive RADIUS requests for authentication.
secret=
<shared secret>
This setting specifies the shared secret between strongSwan and the
BlackBerry 2FA
server. When you configure VPN server connectivity in the
BlackBerry 2FA
server, you must type the RADIUS shared secret that you specify here.
server=
<IP of VPNAuth server>
This setting specifies the IP address or FQDN of the
BlackBerry 2FA
server.
ike_to_radius=1, 2, 311:1, 311:11, 311:25
This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that strongSwan needs to forward to the
BlackBerry 2FA
server.
Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for
Microsoft
), and the second number identifies the attribute type.
This setting is in the “forward” section of the configuration file.
radius_to_ike=311:26, 311:17, 311:16
This setting specifies a comma-separated list of numbers that represent the list of RADIUS attributes that the
BlackBerry 2FA
server needs to forward to strongSwan.
Numbers separated by colons indicate vendor-specific attributes. The first number identifies the vendor (for example, 311 is the number for
Microsoft
), and the second number identifies the attribute type.
This setting is in the “forward” section of the configuration file.