Proper setup for a network with Public Static IPs and Private IPs

Similar Messages

• Is it possible to setup a WDS network with separate SSID's?

  Is it possible to setup a WDS network with separate SSID's? I'm using two AirPort Extreme N devices.

  Welcome to the discussions!
  +Is it possible to setup a WDS network with separate SSID's+
  In order to "extend a wireless network", the network must have the same SSID.
  If you have dual band AirPort Extreme devices, this is the only way that you will be able to extend both the 2.4 GHz and 5 GHz bands.
  Use the same SSID for both bands on the "main" AirPort Extreme and be sure to check the box to "Allow this network to be extended".
  On the remote Extreme, set the Wireless Mode to "Extend a wireless network" and choose the name of the network on the "main" Extreme to extend. Enter the same security and password.
  For more information and Apple's step by step on this, refer to pages 43-44 in the Apple AirPort Networks Guide.

• Can a iPad be setup for tethered shooting with a Nikon dslr

  Can a iPad be setup for tethered shooting with a Nikon Camera

  Not as a standalone solution if you want stuff like live view and all the camera controls on the iPad. If it's just for transferring photos to the iPad for immediate viewing after shooting the Shuttersnitch app comes to mind. Shuttersnitch however requires a WiFi connection that most Nikons don't happen to have. Nikon's wireless dongles for the consumer range of cameras are also somewhat awkward to use whereas the wireless/Ethernet units for the pro range happen to be very expensive. WiFi SD-cards are also a possibility for retrofitting WiFi but they tend to be unreliable, slow and their setup is quite often finicky.
  Another solution would be tethering the camera to a laptop (Win or Mac) through USB and connecting the iPad as a secondary wireless tethering device to the computer. There are programs for Mac and Windows incorporating this feature. I once set this up for a friend who does a lot of studio work but it ended up that he just uses the USB-connected laptop almost exclusively. And unless one would be out for a timelapse shooting already carrying tons of gear not a solution for shooting in the field.
  Last not least but also not exactly inexpensive is the Camranger remote control for Nikon and Canon DSLRs. It connects to the camera through USB and has its own server and WiFi built in which allows to connect to iOS, Android, Mac and Windows (apps for all available by Camranger themselves). Probably the most flexible and comfortable solution especially when considering that it can be used for multiple cameras and will mot likely also work with future cameras. More information can be found at http://www.camranger.com (I'm in no way affiliated with them and personally don't own a Camranger remote so I would advise some more web research on user experiences).

• Howto setup a simple network in SCVMM 2012 R2 and HyperV for test-Lab /Private Cloud

  Howto setup a simple network in SCVMM 2012 R2 and HyperV for test-Lab /Private Cloud
  I have domain controller on my laptop (i5 core 8gb) en one hyperV machine running also scvmm 2012 r2 on it. (i3 core 16gb)
  both runung windows server 2012 r2 x64 on it.
  I want to install a easy "Test Lab" for Scvmm 2012 r2 and hyper-V r2 for mine Private cloud exams. (70-246 & 70-247).
  howto arrange networking and clustering for this mine network and cluster is 192.168.1.0/24.
  ThanX anyway!!

  Also, I have tried to redeploy other test VM networks, VMs, and the PA Network itself and it still doesn't work. 
  Any ideas?

• I am trying to setup to secure a redirect public port to a private port

  I i am trying to setup to secure a redirect public port to a private port to a Microsoft server exchange
  A user coming from the outside(Untrusted security level 0) will connect to IIS server in the DMZ(Trusted security level 50) with a port 443 to a PIX 515 , the IIS server has a application called Detour Service(Service transparently reroutes any TCP connection from one IP Port to any other IP Port) will initiate a connection to Microsoft server exchange to the inside(trusted security level 100).
  Do you think it is the right solution I term of security?yes or no, are do you have a better solutution
  Thanks
  User port destination 443(outside)>>>>>> IIS server port destination 9999(DMZ)>>>>>>>>>>> Microsoft server exchange(inside)

  Actually the connection from lower security level to higher security level is blocked. You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside. For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

• How do i create a little network with my i-mac and macbook

  how do i create a little network with my i-mac and macbook

  Hello:
  To give a sensible answer, a little more information is needed.
  I am guessing that you want to set up a wireless network as you have both a desktop and laptop.
  There are some pretty good tutorials/articles in the knowledge base articles.
  Barry

• What index is suitable for a table with no unique columns and no primary key

  alpha
  beta 
  gamma
  col1
  col2
  col3
  100
  1
  -1
  a
  b
  c
  100
  1
  -2
  d
  e
  f
  101
  1
  -2
  t
  t
  y
  102
  2
  1
  j
  k
  l
  Sample data above  and below is the dataype for each one of them
  alpha datatype- string 
  beta datatype-integer
  gamma datatype-integer
  col1,col2,col3 are all string datatypes. 
  Note:columns are not unique and we would be using alpha,beta,gamma to uniquely identify a record .Now as you see my sample data this is in a table which doesnt have index .I would like to have a index created covering these columns (alpha,beta,gamma) .I
  beleive that creating clustered index having covering columns will be better.
  What would you recommend the index type should be here in this case.Say data volume is 1 milion records and we always use the alpha,beta,gamma columns when we filiter or query records 
  what index is suitable for a table with no unique columns and primary key?
  col1
  col2
  col3
  Mudassar

  Many thanks for your explanation .
  When I tried querying using the below query on my heap table the sql server suggested to create NON CLUSTERED INDEX INCLUDING columns    ,[beta],[gamma] ,[col1] 
   ,[col2]     ,[col3]
  SELECT [alpha]
        ,[beta]
        ,[gamma]
        ,[col1]
        ,[col2]
        ,[col3]
    FROM [TEST].[dbo].[Test]
  where   [alpha]='10100'
  My question is why it didn't suggest Clustered INDEX and chose NON clustered index ?
  Mudassar

• Is it possible to search for multiple folders with the same name and...

  Is it possible to search for multiple folders with the same name and then select them all and change the permissions on just those folders .i.e. Search for the budget folders in all client folders and lock them down to just the project managers. Without having to go to each folder and apply the permissions.

  user11919409 wrote:
  Is it possible to create a Clone database with the same name of source db using RMAN ...
  yes
  >
  DB version is 11.2.0.2
  Is it possible to clone a 11.2.0.2 database to 11.2.0.3 home location directly on a new server . If it starts in a upgrade mode , it is ok ....yes
  Handle:     user11919409
  Status Level:     Newbie (10)
  Registered:     Dec 7, 2009
  Total Posts:     102
  Total Questions:     28 (22 unresolved)
  why do you waste time here when you rarely get any answers to your questions?

• Will there be support for Adobe Ideas with the Adobe Ink and Slide?

  Will there be support for Adobe Ideas with the Adobe Ink and Slide?

  We're working on an update to Ideas to add support for Ink & Slide.  Stay tuned for further information as to timing.
  Kim
  Adobe Ideas Team

• Setup Guest Network with OS X Server and Airport Extreme - NEED HELP!

  Hi All,
  So I have a small business with a Mac Mini Server (10.6.5) and an Airport Extreme. The Airport is handling the routing and DHCP duties, while the Server is handling the DNS. The Airport is pointed to pull DNS from the Server. All internal systems work great accessing the internet and folders on the Server.
  I need to setup a Guest network for internet access, so I turned this function on in the Airport Extreme. It sets up fine, but if you connect to that new Guest Network the system hangs trying to open a web page. My thinking is since the Server is the one handling the DNS it is not working for Guest computers since they are not part of our internal network. At least that is my theory, I could be wrong.
  With this type of setup what do I need to modify to get this working? Anyone have any ideas?

  After trying for days to figure this out I was finally able to get a working solution and I now have my APE providing a guest and main network while using my lion server as the Dsn server for the main network.
  The setup is a bit of a hack and does require you to have at least two devices with staticly assigned ip information on the main network but it does allow you to serve dhcp for both networks from the server and make some services available to the guest network such as iTunes remote for parties.
  1) delete your custom Dns entries from the Internet settings in the APE and set two dhcp reservations for .2 and .3 (in this case my Mac mini server and my airport express)
  2) reduce the dhcp range to only have 2 available IPs (10.0.1.2-10.0.1.3) and save settings
  3) on a computer connected to the main network install wireshark and begin sniffing for packets. Connect at least one device to your guest network and look for any packets that have an ip from your guest network (usually 172.16.42.x) once you capture one of these packets expand the vlan information. This should list a vlan ID ( in my case this was 1003. I would suspect this is universal but do not know)
  4) on your server open network preferences, click the gear at the bottom and click "manage virtual interfaces", add a vlan that matches the vlan ID from above. Click ok and apply your settings. The vlan interface should get an ip in the guest network range from your APE.
  * if you are running lion you will need to install server admin tools before proceeding*
  5) open server admin and add the dhcp service. Create an entry for your primary network (ex: 10.0.1.x) make the dhcp range one higher than the settings in step 2 ( ie: 10.0.1.4 to 10.0.1.253) assign this to the physical interface. Make sure this entry has your internal DNA servers
  6) add another entry for the guest networks ip range (ex: 172.16.42.x) again set it one ip higher than step 2 ( 172.16.42.4 to 172.16.42.253) save and activate both ranges. Assign this range to the vlan interface. Make sure this entry either contains your isps dns servers or another public dns server. Turn on dhcp.
  Because you have now assigned the only two addresses in the APEs pool for your primary network to static entries there will not be any addresses to assign and the APE will not respond to requests. This will allow your server to pick up the work of assigning IPs. As for your guest network, the APE will assign IPs for two host and then stop. Your clients may either get an IP from the APE or the osx server so both should have the same info. Just make sure the two static clients on your main network have the local DNA servers entered manually.

• FAQ or tutorial for configuring RV220W with multiple static external IP addresses?

  I just acquired a used RV220W and would like to use it with my Comcast business internet service (13 external IP's).
  My network currently consists of multiple linux machines.  Each machine has an internal IP and an external IP.  All firewalling is done on the machine itself (using iptables).
  I would like to configure the RV220W to be a frontline firewall so the individual machines don't need to be firewalled.  I would like each machine to maintain it's network configuration, so as to avoid major disruptions.  IOW, I don't (currently) want to use one-to-one nat mapping.
  I may consider moving to nat routing at some point in the future.
  Does anyone know of a tutorial or FAQ that outlines the configuration steps to accomplish this?
  Although I am an IT professional, I am not a networking guru.
  Thanks!
  david

  Hello, 
  I'm sorry, I'm a little bit confuse about your current setup but I can definitely explain the capabilities on our Small Business Routers.
  On the devices that support any type of connection to a modem providing multiple addresses the only way to use then is as follows:
  1- The router should be configured with a Static IP address
  2- That static IP needs to be part of the same subnet as the other IP addresses that you are planning to use on the inside of the network.
  3- The subnet mask configured on the Static IP address should reflect the amount of addresses that you have avialble, For example, if you have 13 available IP addresses your subnet mask on the WAN connection should not be 255.255.255.252.
  4- The only way to allow the other public IP addresses on the inside of the network is by configuring One to One NAT and assign them to private IP addresses on the LAN.
  5- When you enable the One to One NAT rules on the router, you will be opening either all or just one port depending on the router, and then you will have to configure restrictions on the firewall to block or allow more ports.
  Now, if you have a Router with a DMZ port like the RV320, then you can configure the public IP address on a Range on the DMZ port and use the actual public IP address on the NIC of the linux PC's.
  I hope this helps

• Proper setup for home office

  I have a domain (mydomain.com) and static IP's from our provider with RDNS setup properly. AEBS is providing DHCP & DNS and I have a few questions. Config is this (net)--(modem)--(aebs)--(macmini)
  1. What should the settings in the AEBS be? Should it be providing DNS servers of our ISP to clients or should it be handing out the IP of the MacMini.
  2. We have a domain with RDNS but when setting up the macmini what should I put in the hostname field so that all external services work well. In 10.5 this was very very key you did it right. So would I put apple.mydomain.com?
  Thanks,
  DM

  Kia ora DD,
  What services is SLServer running, it will be your OD master I assume, and DNS, and I assume DHCP is handled by your AEBS?
  I think the dns references should point to the ip address of your server, so that the clients are 'sent' to it first, then if the resource they are looking for is not there then the server will send that request on elsewhere, usually to the router, which is looking 'outside', and sends the request out into the 'net'.
  As far as the DNS entry of the server is concerned the relationship between the FQDN (the base domain name for example 'sausage.com') and the hostname (computer name for example 'beef') still exists, but it is not as tricky. The computer name is used in some services locally, on the internal network and may be found for some services at beef.local, some services need the FQDN, but most need the hostname; beef.sausages.com.
  As far as the setup is concerned I put my FQDN in the first box and the computer name in the second, and if you look at the DNS services in Server Admin or info pane in serverpreferences, they should show the consequences of how you named you box etc at the initial setup.
  As far as your ISP is concerned they should be sending any external request to your static ip, and that will be handled by your server as long as the mail exchanger records at you ISP are the same as the mail exchange record in the DNS services pane of Server admin.
  I would recommend reinstalling multiple times until you have it is as you want it,
  I think!

• How to call java with public static void main(String[] args) throws by jsp?

  how do i call this from jsp? <%spServicelnd temp = new spServicelnd();%> does not work because the program has a main. can i make another 2nd.java to call this spServiceInd.java then call 2nd.java by jsp? if yes, how??? The code is found below...
  import java.net.MalformedURLException;
  import java.io.IOException;
  import com.openwave.wappush.*;
  public class spServiceInd
       private final static String ppgAddress = "http://devgate2.openwave.com:9002/pap";
       private final static String[] clientAddress = {"1089478279-49372_devgate2.openwave.com/[email protected]"};
  //     private final static String[] clientAddress = {"+639209063665/[email protected]"};
       private final static String SvcIndURI = "http://devgate2.openwave.com/cgi-bin/mailbox.cgi";
       private static void printResults(PushResponse pushResponse) throws WapPushException, MalformedURLException, IOException
            System.out.println("hello cze, I'm inside printResult");
            //Read the response to find out if the Push Submission succeded.
            //1001 = "Accepted for processing"
            if (pushResponse.getResultCode() == 1001)
                 try
                      String pushID = pushResponse.getPushID();
                      SimplePush sp = new SimplePush(new java.net.URL(ppgAddress), "SampleApp", "/sampleapp");
                      StatusQueryResponse queryResponse = sp.queryStatus(pushID, null);
                      StatusQueryResult queryResult = queryResponse.getResult(0);
                      System.out.println("Message status: " + queryResult.getMessageState());
                 catch (WapPushException exception)
                      System.out.println("*** ERROR - WapPushException (" + exception.getMessage() + ")");
                 catch (MalformedURLException exception)
                      System.out.println("*** ERROR - MalformedURLException (" + exception.getMessage() + ")");
                 catch (IOException exception)
                      System.out.println("*** ERROR - IOException (" + exception.getMessage() + ")");
            else
                 System.out.println("Message failed");
                 System.out.println(pushResponse.getResultCode());
       }//printResults
       public void SubmitMsg() throws WapPushException, IOException
            System.out.println("hello cze, I'm inside SubmitMsg");          
            try
                 System.out.println("hello cze, I'm inside SubmitMsg (inside Try)");                         
                 //Instantiate a SimplePush object passing in the PPG URL,
                 //product name, and PushID suffix, which ensures that the
                 //PushID is unique.
                 SimplePush sp = new SimplePush(new java.net.URL(ppgAddress), "SampleApp", "/sampleapp");
                 //Send the Service Indication.
                 PushResponse response = sp.pushServiceIndication(clientAddress, "You have a pending Report/Request. Please logIn to IRMS", SvcIndURI, ServiceIndicationAction.signalHigh);
                 //Print the response from the PPG.
                 printResults(response);
            }//try
            catch (WapPushException exception)
                 System.out.println("*** ERROR - WapPushException (" + exception.getMessage() + ")");
            catch (IOException exception)
                 System.out.println("*** ERROR - IOException (" + exception.getMessage() + ")");
       }//SubmitMsg()
       public static void main(String[] args) throws WapPushException, IOException
            System.out.println("hello cze, I'm inside main");
            spServiceInd spsi = new spServiceInd();
            spsi.SubmitMsg();
       }//main
  }//class spServiceInd

  In general, classes with main method should be called from command prompt (that's the reason for main method). Remove the main method, put the class in a package and import the apckage in your jsp (java classes should not be in the location as jsps).
  When you import the package in jsp, then you can instantiate the class and use any of it's methods or call the statis methods directly:
  <%
  spServiceInd spsi = new spServiceInd();
  spsi.SubmitMsg();
  %>

• Update Policy for multiple networks with specific DNS servers

  I have a mid size network with 5 locations all with different IP addresses. All sites host their own DNS servers and connect directly through an ISP dedicated VLAN.
  Main Site
  10.1.1.1
  255.0.0.0
  Remote Site 1
  192.168.100.1
  255.255.255.0
  Remote Site 2
  192.168.101.1
  255.255.255.0
  Remote Site 3
  192.168.102.1
  255.255.255.0
  Remote Site 4
  192.168.103.1
  255.255.255.0
  All sites can be managed through the main site, but have their own DNS servers on location.
  My purpose is to point all computers and devices to a new DNS server from their previous static assignment. (XP and later versions)
  My question is can I use GP or DHCP* to push DNS server information to each device making them site specific without having to travel to those locations?
  Requirements:
  All devices on 10.1.1.1 will be changing from 10.1.1.2 to 10.1.1.4 (decom of old 2k3 server)
  DNS servers at each 192 location will need to point secondary server to 10.1.1.4
  Devices at main will need to use 10.1.1.4 as primary and 10.1.1.3 as secondary.
  Devices at each site will need to keep their respective DNS server.
  *If I use DHCP to change the information on a per scope level, can I use GP to force computers with locally set static assignments to update to DHCP static assignments
  Bonus: If anyone can give me an estimate on how much network traffic/bandwidth this would create that would be great because I would consider staggering the assignments as I am a 24 hour business.

  Hi,
  You may configure a Scheduled Task Item in Group Policy.
  To create a new Scheduled Task preference item, please follow the steps below,
  Open the Group Policy Management Console . Right-click the Group Policy object (GPO) that should contain the new preference item, and then click
  Edit .
  In the console tree under Computer Configuration or
  User Configuration , expand the Preferences folder, and then expand the
  Control Panel Settings folder.
  Right-click the Scheduled Tasks node, point to
  New , and select Scheduled Task .
  In the New Scheduled Task Properties dialog box, select an
  Action for Group Policy to perform. (For more information, see "Actions" in this topic.)
  On the Task tab, enter task settings for Group Policy to configure or remove. (For more information, see "Task settings" in this topic.)
  If creating, updating, or replacing a task:
  Click the Schedule tab, and configure one or more schedules for the task. (For more information, see "Schedule settings" in this topic.)
  Click the Settings tab, and enter any additional task settings for Group Policy to configure. (For more information, see "Other scheduled task settings" in this topic.)
  Click the Common tab, configure any options, and then type your comments in the
  Description box. (For more information, see
  Configure Common Options.)
  Click OK . The new preference item appears in the details pane.
  In the task, you may use netsh to set the DNS address.
  netsh interface ip set dns name="Local Area Connection" static yourdnssetting
  Here is an article about netsh command,
  http://technet.microsoft.com/en-us/library/cc738592(v=WS.10).aspx#BKMK_5
  Hope this helps.
  Steven Lee
  TechNet Community Support

• How to setup an ikev2 VPN with public key authentica​tion with your BB10 device

  This setup will allow you to run a VPN between your BB10.2 (and probably BB10.1) device and a debian linux computer (I am running the testing stream).  You will need to tweak this config (and possibly install strongswan server on your LAN's gateway) to get access to network resources, or access the internet via the VPN.  I have created this setup with the intention of accessing files/services on the debian computer only.
  1.  Install strongswan on your debian machine(I have v4.6.4 installed, I think the current testing version is v5.1.  If you install v5+, some lines in the config may be obsolete), and install any other extra packages you are prompted to install: 
  apt-get install strongswan strongswan-ikev1 strongswan-ikev2 strongswan-starter openssl ipsec-tools
  2.  Generate certificates on your debian server in any, starting with a certificate authority.  Edit the C= O= CN= fields to whatever you want:
  ipsec pki --gen --outform pem > caKey.pem
  ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=Certificate-Auth" --san="Certificate-Auth" --ca --outform pem > caCert.pem
  Generate a server keypair (again, editing the same fields as I indicated above.  The CN= field should be lan ip address of your strongswan server.  I would also put this as the address in --san=, or you can specify your hostname(if you have one, i.e. mydomainname.com):
  ipsec pki --gen --outform pem > serverKey.pem
  ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=192.168.1.100" --san="192.168.1.100" --flag serverAuth --outform pem > serverCert.pem
  Generate a keypair for your BB10 device (choose a CN=, and use it in the --san field @your server lan ip or hostname:
  ipsec pki --gen --outform pem > userKey.pem
  ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=bb10" --san "[email protected]"  --flag serverAuth --outform pem > userCert.pem
  3.  After generating your keys, package the client keys for your BB10 device(you will be asked to create a password): openssl pkcs12 -export -in userCert.pem -inkey userKey.pem -out bb10.pfx
  Copy the bb10.pfx file, and serverCert.pem to your BB10 device and import the certificates into the certificate store(Open Settings --> Security and Privacy --> Certificates --> Import)
  4. Move the certificates into the appropriate folders on your debian server: 
  mv caKey.pem /etc/ipsec.d/private
  mv caCert.pem /etc/ipsec.d/cacerts
  mv serverKey.pem /etc/ipsec.d/private
  mv serverCert.pem /etc/ipsec.d/certs
  5. Enable ip forwarding on your debian machine:
  edit /etc/sysctl.conf - change the following value as follows:
  net.ipv4.ip_forward=1
  Close the file and save changes.  To enable changes, type:  sysctl -p /etc/sysctl.conf
  6.  Edit config files:
            ipsec.secrets:
  : RSA serverKey.pem
          ipsec.conf:
  config setup
          strictcrlpolicy=no
          uniqueids=yes
  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          keyexchange=ikev2
          leftfirewall=yes
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear
  conn bb10
          mobike=yes
          ike=aes256-sha1-sha1-modp1024!
          esp=aes256-sha1!
          left=%defaultroute
          leftid="C=CA, O=none, CN=192.168.1.100"
          leftcert=serverCert.pem
          right=%any
          rightsourceip=10.10.0.1
          rightid="C=CA, O=none, CN=bb10"
          rightauth=pubkey
          leftauth=pubkey
          pfs=yes
          auto=add
  7. Start the ipsec service on your debian machine: service ipsec stop; service ipsec start
  8. Set up the VPN connection on your blackberry: Settings -->Network Connections --> VPN --> Add.
  a) Profile Name:  Give your VPN a name
  b) Server Address:  Enter your server's address
  c) Gateway Type: Generic IKEv2 VPN Server
  d) Authentication Type: PKI
  e) Authentication ID Type:  Identity Certificate Distinguished Name
  f) Client Certificate: The client certificate you imported should show up in the dropdown
  g) Gateway Auth Type: PKI
  h) Gateway Auth ID Type: Identity Certificate Distinguished Name
  i) Gateway CA Certificate:  Find the certificate authority you imported.  If you used the same name as I did above when creating the certificate, if will be called "Certificate-Auth".
  j) Perfect forward secrecy : ON
  k) Change IKE Lifetime to 3600
  l) Change IPSEC lifetime to 1200
  You can leave everything else on default settings.  Save your VPN profile.
  9. Connect to your VPN.  You should now be able to ping both ways between your blackberry and debian host.  Using the above configuration, your blackberry device will have the ip address of 10.10.0.1.

  There have been numerous bb10 updates (now 10.2.1.2977) since I first posted this mini how-to-I am not sure if it was the bb10 updates, or updates to strongswan (now v5.2.0) or my linux kernel (v3.15.3), though I am now able to use stronger hash and elliptic curve key exchange.  I am using sha384 in my example, though have also got it working with sha512.  Give it a try:
  Simply use the same process I detailed before, though change the following lines in ipsec.conf:
  ike=aes256-sha1-sha1-modp1024!
  esp=aes256-sha1!
  to
  ike=aes256-sha384-ecp521
  esp=aes256-sha384-ecp521
  Be sure to restart strongswan after you change these lines in the config.
  After this is done, change 'Automatically determine algorithm' to off in the VPN profile settings of your VPN connection profile on your blackberry.  I'm not sure why it doesn't work automatically.  State the following in this section:
  IKE DH Group:  21
  IKE CIpher: AES (256-bit key)
  IKE Hash: SHA384
  IKE PRF: HMAC-SHA384
  IPSec DH Group: 21
  IPSec Cipher: AES (256-bit key)
  IPSec Hash: SHA384