"Failed to connect" on Nexus One with "tun: disabled P

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Root the phone (Nexus One).
2. Install tun.ko
(http://forum.xda-developers.com/showthread.php?p=5692491#post5692491)
3. Install and run VPN Connections 0.97
4. Create the connection.
5. Long-tap on connetion and choose "Connect".

What is the expected output? What do you see instead?
I expect to be connected, and alway see "failed to connect" instead.

What version of the product are you using? On what operating system?
VPN Connections 0.97 on Android 2.1 update 1.

Please provide any additional information below.
tun.ko is running (verified with lsmod)
"Failed to connect" appears pretty fast (<1 second).
"agb logcat" shows the following (on each connection attempt):
D/VPN_Connections( 4188): NetworkDatabase:singleNetwork - Start
D/su      ( 4428): 10069:10069 org.codeandroid.vpnc_frontend executing 0:0 sh
D/VPN_Connections( 4188): Enter IPSec gateway address:
D/VPN_Connections( 4188): IP <gateway IP>
D/VPN_Connections( 4188): Enter IPSec ID for <gateway IP>
D/VPN_Connections( 4188): group id: <group ID>
D/VPN_Connections( 4188): Enter IPSec secret for <group ID>@<gateway IP>:
D/VPN_Connections( 4188): group pwd <group password>
D/VPN_Connections( 4188): Enter username for <gateway IP>:
D/VPN_Connections( 4188): user <user ID>
D/VPN_Connections( 4188): Enter password for <user ID>@<gateway IP>:
D/VPN_Connections( 4188): password ********************
D/VPN_Connections( 4188): done interacting with vpnc
D/VPN_Connections( 4188): process stderr:
D/VPN_Connections( 4188):
D/VPN_Connections( 4188): Attempt to read vpnc process id did not return
anythin
g
D/VPN_Connections( 4188): process had died, return as failed connection

"adb shell dmesg" shows the following (on each connection attempt):
<6>[50470.478210] tun0: Disabled Privacy Extensions

Original issue reported on code.google.com by sparhome...@gmail.com on 8 Apr 2010 at 8:18

[GoogleCodeExporter]

Sorry for broken title and mistypes, pressed "Submit" too fast and unable to 
edit now...

Original comment by sparhome...@gmail.com on 8 Apr 2010 at 8:21

[GoogleCodeExporter]

It seems like vpnc is failing but it's odd that there is no feedback to tell us 
why.
You can make it super verbose by adding "--debug 99" as a vpnc flag when you 
press
menu in the app.

Original comment by babak.mozaffari on 25 Apr 2010 at 7:39

• Changed state: Accepted

[GoogleCodeExporter]

Hi Babak,

Thanks for the tip. In fact it didn't help (no additional information in the 
logs),
however it put me on the long road of investigating the issue, and I finally 
was able
to find out the problem reason. Things I found:
1. Root cause - I didn't have BusyBox, installing it fixes the issue.
2. If the BusyBox not installed, vpnc-script fails with "not found" for many 
commands
(which, [, basename etc.). However this is not logged (even with --debug 99).
3. The homepage does not specifically state that BusyBox is a prereq ("ROM with 
root
and tun support").

May I suggest to:
- add check in the code if the BusyBox is installed (I guess tun check is 
already
performed).
- mention in the home page that BusyBox is required, ideally with a link to the
install guide.
BTW, best BusyBox install guide that I found (short/concise/working download 
link)
is:
http://de.codeplex.com/wikipage?title=How%20to%20Install%20busybox%20on%20a%20ro
oted%20device&referringTitle=Documentation

Original comment by sparhome...@gmail.com on 27 Apr 2010 at 6:18

[GoogleCodeExporter]

Hi, sparhomenko,
I 'am glad it is working for you. I do have BusyBox 1.15.3. I can startup 
terminal app on my N1 and type 
busybox and it prints supported commands. What version of busybox are you 
using? 

Original comment by lakams...@gmail.com on 27 Apr 2010 at 7:33

[GoogleCodeExporter]

My version is 1.15.2, downloaded from the link in my previous comment.
If your problem is different, I would suggest the following procedure (which I 
used
to find the reason of my problem):
1. Create vpnc.conf file like the one I attached (make sure your line ends are 
Unix).
You may need to append it in case if your gateway needs some additional 
parameters.
2. Upload the file to /data/data/org.codeandroid.vpnc_frontend/files/ (adb push
vpnc.conf /data/data/org.codeandroid.vpnc_frontend/files/).
2. Open and close VPN Connections in app (just to ensure that tun.ko is loaded).
3. Open adb shell and run:
su
cd /data/data/org.codeandroid.vpnc_frontend/files/
./vpnc ./vpnc.conf
4. Watch for any helpfull information in the output.

Original comment by sparhome...@gmail.com on 27 Apr 2010 at 8:36

Attachments:

• vpnc.conf

[GoogleCodeExporter]

Here is my output from ./vpnc ./vpnc.conf. The real problem seems to be at the 
bottom of this log (after it 
says ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---. 

 I 'm not sure about the initial errors  about uname, basename etc not being found. They are in my path. I 
removed identifying information from the logs in a couple of places. 

-----
# ./vpnc ./vpnc.conf
Enter password for user@host.com: 

vpnc version ERSION
uname: not found
basename: not found
grep: not found
which: not found
grep: not found
which: not found
grep: not found
which: not found
[: not found
readlink: not found
[: not found
[: not found
IKE SA selected psk+xauth-3des-sha1
NAT status: this end behind NAT? YES -- remote end behind NAT? no
IKE SA selected psk+xauth-3des-sha1
NAT status: this end behind NAT? YES -- remote end behind NAT? no
Banner: Warning! Blah, blah

got address a.b.c.d 
uname: not found
basename: not found
grep: not found
which: not found
grep: not found
which: not found
grep: not found
which: not found
[: not found
[: not found
[: not found
[: not found
: permission denied
[: not found
sed: not found
Invalid argument
Invalid argument
[: not found
dirname: not found
grep: not found
/data/data/org.codeandroid.vpnc_frontend/files/vpnc-script: cannot create 
/def_route.txt: read-only file 
system
Invalid argument
Invalid argument
[: not found
vpnc-script ran to completion

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---

quick mode response rejected:  (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1)
this means the concentrator did not like what we had to offer.
Possible reasons are:
  * concentrator configured to require a firewall
     this locks out even Cisco clients on any platform expect windows
     which is an obvious security improvment. There is no workaround (yet).
  * concentrator configured to require IP compression
     this is not yet supported by vpnc.
     Note: the Cisco Concentrator Documentation recommends against using
     compression, expect on low-bandwith (read: ISDN) links, because it
     uses much CPU-resources on the concentrator

Original comment by lakams...@gmail.com on 4 May 2010 at 2:54

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I re-installed busybox. After that the initial set of errors (uname: not found 
etc.) went away but the main error 
remains. I have no problem connecting to this Cisco VPN server using vpnc 0.5.3 
from Ubuntu 9.10 Karmic 
Koala using same vpn.conf with a change to the Script path to point to 
/etc/vpnc/vpnc.script on Linux. 

------
Enter password for user@host.com: 

vpnc version ERSION
IKE SA selected psk+xauth-3des-sha1
NAT status: this end behind NAT? YES -- remote end behind NAT? no
Banner: Warning! Blah, blah

got address a.b.c.d
Connect Banner:
| Warning! Blah, blah

backing up dns and resolve.conf
cp: cannot stat '/etc/resolv.conf': No such file or directory
vpnc-script ran to completion

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---

quick mode response rejected:  (ISAKMP_N_INVALID_PAYLOAD_TYPE)(1)
this means the concentrator did not like what we had to offer.
Possible reasons are:
  * concentrator configured to require a firewall
     this locks out even Cisco clients on any platform expect windows
     which is an obvious security improvment. There is no workaround (yet).
  * concentrator configured to require IP compression
     this is not yet supported by vpnc.
     Note: the Cisco Concentrator Documentation recommends against using
     compression, expect on low-bandwith (read: ISDN) links, because it
     uses much CPU-resources on the concentrator 

Original comment by lakams...@gmail.com on 4 May 2010 at 3:38

[GoogleCodeExporter]

It seems the vpnc error message is quite self-descriptive in your case:
Possible reasons are:
  * concentrator configured to require a firewall
     this locks out even Cisco clients on any platform expect windows
     which is an obvious security improvment. There is no workaround (yet).
  * concentrator configured to require IP compression
     this is not yet supported by vpnc.
     Note: the Cisco Concentrator Documentation recommends against using
     compression, expect on low-bandwith (read: ISDN) links, because it
     uses much CPU-resources on the concentrator 
Checking the settings / logs of your Cisco client on desktop you may be able to 
find
which of these 2 is the reason in your case - firewall or IP compression. 
However, as
vpnc states it does not support both, I'm not sure you'll be able to overcome 
this.

Original comment by sparhome...@gmail.com on 4 May 2010 at 9:54

[GoogleCodeExporter]

vpnc on a Linxux desktop connects fine to this Cisco VPN server. The VPN 
software
supplied with the iPhone 3GS has no problems connecting to the same Cisco VPN 
server.
So I suspect the problem may have to do with either Android or the Android port 
of
the VPNC software.

Original comment by lakams...@gmail.com on 10 May 2010 at 5:50

[GoogleCodeExporter]

Same issue here, Acer Liquid E, a little bit more in deep:

./vpnc --script vpnc-script --no-detach
Enter IPSec gateway address: <ip>
<ip>
Enter IPSec ID for <ip>: <id>
<id>
Enter IPSec secret for <group>@<ip>: <secret>

Enter username for <ip>: <user>
<user>
Enter password for <user>@<ip>m: <passwd>

vpnc-script: not found
can't initialise tunnel interface: Device or resource busy

Original comment by marcelom...@gmail.com on 5 Mar 2011 at 1:27