Hi,
I'm wondering if anyone has had any experience with VPN and Android 4.4??
I used to use OpenVPN with versions 4.1 through 4.3 however, 4.4
apparently broke the tun interface so the app doesn't work now.
As I need vpn access I configured ipsec and npppd however, I keep
getting these errors when trying to establish connection:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs:
initiator id 2.2.2.2, responder id 1.1.1.1
dropped message from 2.2.2.2 port 500 due to notification type
INVALID_ID_INFORMATION
<ok my IP range is different but the error still stands where phone is
2.2.2.2 and OpenBSD IP is 1.1.1.1>
On the Droid I setup L2TP/IPsec PSK
with server address and IPSec PSK; and my npppd credentials.
The config I have is standard:
ipsec.conf:
ike passive esp transport \
proto udp from any to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "some_key"
npppd.conf:
# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file. see npppd.conf(5)
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
#authentication RADIUS type radius {
# authentication-server {
# address 192.168.0.1 secret "hogehoge"
# }
# accounting-server {
# address 192.168.0.1 secret "hogehoge"
# }
#}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address <vpn_ip_pool>
dns-servers <dns_pool>
}
# I elected to go with Tun interface over Pipex
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun1 address <ip> ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun1
/etc/hostname.tun1
up
Looking through the @Misc archive I found a similar issue:
http://permalink.gmane.org/gmane.os.openbsd.misc/202338
which also incorporates (I assume) working config; very similar to my own.
My version of OpenBSD is: 5.5 GENERIC.MP#50 amd64 (Current as of a few
days ago)
The Phase 2 ID issues usually happen when the devices remote and local
IP addresses aren't what the system is expecting however, I have
configured this to "any".....
I do recall a separate issue I had when configuring IPSEC/GRE
site-to-site tunnel with Cisco's where I had to specifically set:
ike esp from 0.0.0.0/0 to 0.0.0.0/0 peer <ip_address>
and then configure hostname.greX accordingly.
Even using the Pipex interface:
#interface pppx0 address <vpn_ip> ipcp IPCP
#bind tunnel from L2TP authenticated by LOCAL to pppx0
as a test I still get the same error.... of Invalid Phase 2 ID's.
I have analyzed /var/log/messages which gives above output, and in
addition done a tcpdump -eni (IF) -vvv host (IP) to see what was going
on but found nothing substantial....
npppd output:
npppd[10593]: l2tpd ctrl=9 logtype=Started RecvSCCRQ
from=2.2.2.2:46783/udp tunnel_id=9/30318 protocol=1.0 winsize=1
hostname=anonymous vendor=(no vendorname) firm=0000
npppd[10593]: l2tpd ctrl=9 timeout waiting ack for ctrl packets.
npppd[10593]: l2tpd ctrl=9 logtype=Finished
Could this be a bug with Android 4.4 or is it simply something
misconfigured on my behalf?
...oh and my handset is rooted so I don't know if that makes a difference?
Thanks.
Kaya
