search

piccolo-dev / android_device_bq_piccolo

Android device configuration for the bq Aquaris M5
19 stars 8 forks source link

CM13 L2TP/IPSec PSK not working with Draytek Router #77

Closed e-alfred closed 8 years ago

e-alfred commented 8 years ago

Running the latest CM 13.0 release, a VPN connection with L2TP/IPSec PSK does not work. The same VPN runs fine with the older CM 12.1 release. Here is the log I got so far:

04-19 21:29:14.781  6097  6097 D racoon  : Waiting for control socket
04-19 21:29:14.840  6097  6097 D racoon  : Received 6 arguments
04-19 21:29:14.840  6097  6097 I racoon  : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
04-19 21:29:14.867  6097  6097 I racoon  : 10.0.4.5[500] used as isakmp port (fd=6)
04-19 21:29:14.867  6097  6097 I racoon  : 10.0.4.5[500] used for NAT-T
04-19 21:29:14.868  6097  6097 I racoon  : 10.0.4.5[4500] used as isakmp port (fd=7)
04-19 21:29:14.868  6097  6097 I racoon  : 10.0.4.5[4500] used for NAT-T
04-19 21:29:15.337  6097  6097 I racoon  : IPsec-SA request for 1.2.3.4 queued due to no phase1 found.
04-19 21:29:15.337  6097  6097 I racoon  : initiate new phase 1 negotiation: 10.0.4.5[500]<=>1.2.3.4[500]
04-19 21:29:15.337  6097  6097 I racoon  : begin Identity Protection mode.
04-19 21:29:15.452  6097  6097 I racoon  : received Vendor ID: DPD
04-19 21:29:15.452  6097  6097 I racoon  : received Vendor ID: RFC 3947
04-19 21:29:15.452  6097  6097 I racoon  : Selected NAT-T version: RFC 3947
04-19 21:29:15.483  6097  6097 I racoon  : Hashing 1.2.3.4[500] with algo #2 
04-19 21:29:15.483  6097  6097 I racoon  : Hashing 10.0.4.5[500] with algo #2 
04-19 21:29:15.483  6097  6097 I racoon  : Adding remote and local NAT-D payloads.
04-19 21:29:15.618  6097  6097 I racoon  : Hashing 10.0.4.5[500] with algo #2 
04-19 21:29:15.618  6097  6097 I racoon  : NAT-D payload #0 doesn't match
04-19 21:29:15.618  6097  6097 I racoon  : Hashing 1.2.3.4[500] with algo #2 
04-19 21:29:15.618  6097  6097 I racoon  : NAT-D payload #1 verified
04-19 21:29:15.618  6097  6097 I racoon  : NAT detected: ME 
04-19 21:29:15.618  6097  6097 I racoon  : KA list add: 10.0.4.5[4500]->1.2.3.4[4500]
04-19 21:29:15.778  6097  6097 W racoon  : ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
04-19 21:29:15.779  6097  6097 I racoon  : ISAKMP-SA established 10.0.4.5[4500]-1.2.3.4[4500] spi:5ff0e9c5793db581:69996d7f723ac5e2
04-19 21:29:16.781  6097  6097 I racoon  : initiate new phase 2 negotiation: 10.0.4.5[4500]<=>1.2.3.4[4500]
04-19 21:29:16.781  6097  6097 I racoon  : NAT detected -> UDP encapsulation (ENC_MODE 2->4).
04-19 21:29:16.872  6097  6097 I racoon  : ISAKMP-SA expired 10.0.4.5[4500]-1.2.3.4[4500] spi:5ff0e9c5793db581:69996d7f723ac5e2
04-19 21:29:19.002  5934  5934 W AutostartServic: type=1400 audit(0.0:64171): avc: denied { search } for name="6097" dev="proc" ino=6974652 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:racoon:s0 tclass=dir permissive=0
04-19 21:29:19.482  5859  5859 W Thread-240: type=1400 audit(0.0:64174): avc: denied { getattr } for path="/proc/6097" dev="proc" ino=6974652 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:racoon:s0 tclass=dir permissive=0
04-19 21:29:19.482  5859  5859 W Thread-240: type=1400 audit(0.0:64175): avc: denied { search } for name="6097" dev="proc" ino=6974652 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:racoon:s0 tclass=dir permissive=0
04-19 21:29:19.482  5859  5859 W Thread-240: type=1400 audit(0.0:64176): avc: denied { search } for name="6097" dev="proc" ino=6974652 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:racoon:s0 tclass=dir permissive=0
04-19 21:29:19.878  6097  6097 E racoon  : phase2 negotiation failed due to phase1 expired. 5ff0e9c5793db581:69996d7f723ac5e2:0000b6f4
04-19 21:29:20.880  6097  6097 I racoon  : ISAKMP-SA deleted 10.0.4.5[4500]-1.2.3.4[4500] spi:5ff0e9c5793db581:69996d7f723ac5e2
04-19 21:29:20.881  6097  6097 I racoon  : KA remove: 10.0.4.5[4500]->1.2.3.4[4500]
04-19 21:29:46.782  6097  6097 I racoon  : IPsec-SA expired: ESP/Transport 1.2.3.4[0]->10.0.4.5[0] spi=15940372(0xf33b14)
04-19 21:29:47.378  6097  6097 I racoon  : IPsec-SA request for 1.2.3.4 queued due to no phase1 found.
04-19 21:29:47.378  6097  6097 I racoon  : initiate new phase 1 negotiation: 10.0.4.5[500]<=>1.2.3.4[500]
04-19 21:29:47.378  6097  6097 I racoon  : begin Identity Protection mode.
04-19 21:29:48.369  6097  6097 I racoon  : received Vendor ID: DPD
04-19 21:29:48.369  6097  6097 I racoon  : received Vendor ID: RFC 3947
04-19 21:29:48.369  6097  6097 I racoon  : Selected NAT-T version: RFC 3947
04-19 21:29:48.400  6097  6097 I racoon  : Hashing 1.2.3.4[500] with algo #2 
04-19 21:29:48.401  6097  6097 I racoon  : Hashing 10.0.4.5[500] with algo #2 
04-19 21:29:48.401  6097  6097 I racoon  : Adding remote and local NAT-D payloads.
04-19 21:29:48.585  6097  6097 I racoon  : Hashing 10.0.4.5[500] with algo #2 
04-19 21:29:48.585  6097  6097 I racoon  : NAT-D payload #0 doesn't match
04-19 21:29:48.585  6097  6097 I racoon  : Hashing 1.2.3.4[500] with algo #2 
04-19 21:29:48.585  6097  6097 I racoon  : NAT-D payload #1 verified
04-19 21:29:48.585  6097  6097 I racoon  : NAT detected: ME 
04-19 21:29:48.585  6097  6097 I racoon  : KA list add: 10.0.4.5[4500]->1.2.3.4[4500]
04-19 21:29:48.705  6097  6097 W racoon  : ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
04-19 21:29:48.705  6097  6097 I racoon  : ISAKMP-SA established 10.0.4.5[4500]-1.2.3.4[4500] spi:a09338214867fe1a:8435a2b152469a0a
04-19 21:29:49.707  6097  6097 I racoon  : initiate new phase 2 negotiation: 10.0.4.5[4500]<=>1.2.3.4[4500]
04-19 21:29:49.707  6097  6097 I racoon  : NAT detected -> UDP encapsulation (ENC_MODE 2->4).
04-19 21:29:49.797  6097  6097 I racoon  : ISAKMP-SA expired 10.0.4.5[4500]-1.2.3.4[4500] spi:a09338214867fe1a:8435a2b152469a0a
04-19 21:29:52.804  6097  6097 E racoon  : phase2 negotiation failed due to phase1 expired. a09338214867fe1a:8435a2b152469a0a:0000988c
04-19 21:29:53.806  6097  6097 I racoon  : ISAKMP-SA deleted 10.0.4.5[4500]-1.2.3.4[4500] spi:a09338214867fe1a:8435a2b152469a0a
04-19 21:29:53.806  6097  6097 I racoon  : KA remove: 10.0.4.5[4500]->1.2.3.4[4500]
04-19 21:30:14.708  6097  6097 I racoon  : Connection is closed
04-19 21:30:19.829  6097  6097 I racoon  : Bye
Kra1o5 commented 8 years ago

Thanks for the log, I will check that asap but seems is a SELinux denial, can you try with SELinux in permissive?

e-alfred commented 8 years ago

No, it still doesn't work. I set "setenforce 0" in a terminal directly on the phone with root rights, "SELinux-status" says "moderate", but the connection still does not work.

e-alfred commented 8 years ago

I tried the last releases and with none of them it worked. The router is definitely not an issue, because other Android phones with different (stock) versions from 4.2-5.1 work flawlessly.

cmorlok commented 8 years ago

If I remember correctly Google (or CM?) replaced the VPN stack in M. It might be that your VPN is no longer supported and you'll have to switch to a third-party app. I have similar problems with my own router and OpenVPN. Could you send us a copy of your VPN config (of course without any secrets included)?

e-alfred commented 8 years ago

Well, L2TP/IPSEC PSK is still there in the VPN settings, the options are still there as well. I also tried the Draytek SSL VPN app and it does not work either on CM13.

Here is the upstream bug, not fixed by Google after almost half a year:

https://code.google.com/p/android/issues/detail?id=196939

stucki commented 8 years ago

This issue was moved to bq-dev/android_device_bq_piccolo#78