[strongSwan-dev] Problem with Android VPN Client on Motorola DROID RAZR running Android 4.1.2

Tobias Brunner tobias at strongswan.org
Tue Apr 16 15:18:58 CEST 2013

Hi Mike,

Thanks for the details.

>>> i.e. if I checkout master and run “git revert
>>> 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3”, then build, the app works
>> fine.
>>> Any thoughts on the problem?
>> Could you check which of the two changes in the patch causes the issue?
> The first change is the one that causes the issue with the Android app.
> In src/libcharon/sa/ike_sa.c:
> This code segment works:
>                 /* update our address in any case */
>                 if (!me->equals(me, this->my_host))
>                 {
> ...
> This code segment doesn't work:
>                 /* update our address in any case */
>                 if (force && !me->equals(me, this->my_host))
> ...

I see.  The problem is in fact that multiple interfaces on your device
are up and have IP addresses installed on them.

> is the external interface (cellular data). Notice the
> "sending packet: from[38661]" - that is not the
> external interface.  I think it's one of the USB interfaces.
> is the external interface on the Android phone. Could
> that be part of the problem?  54.242.XXX.YY is the internet-facing IP
> of the gateway, but the gateway sees its own address as
> 10.214.xxx.yy.

The default network interface on Linux does a route lookup to determine
the proper source address.  On Android the kernel interface, so far,
simply determined the first usable IP address and returned that (i.e.
the first address on the first interface that's up and not 'lo' or a TUN
device).  This worked pretty well in my tests.  And before the above
commit it also worked in situations where the wrong IP was chosen at
first.  Because when charon later saw the correct IP when it received
the response from the gateway it was able to update the address.  With
the above commit this auto-fix is not happening anymore.

I now refactored the app so that it uses the kernel-netlink plugin with
its more complex route lookup/source address selection algorithm.  Could
you please try if the code in the android-kernel branch [1] fixes the
issue on your device?



More information about the Dev mailing list