[strongSwan-dev] Problem with Android VPN Client on Motorola DROID RAZR running Android 4.1.2

Peck, Michael A mpeck at mitre.org
Fri Apr 26 19:15:07 CEST 2013 

Tobias,

Sorry for the slow response.  I just tried the code in the android-kernel branch, and it is working great.

Thanks,
Mike


>-----Original Message-----
>From: Tobias Brunner [mailto:tobias at strongswan.org]
>Sent: Tuesday, April 16, 2013 9:19 AM
>To: Peck, Michael A
>Cc: dev at lists.strongswan.org
>Subject: Re: [strongSwan-dev] Problem with Android VPN Client on Motorola
>DROID RAZR running Android 4.1.2
>
>Hi Mike,
>
>Thanks for the details.
>
>>>> i.e. if I checkout master and run “git revert
>>>> 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3”, then build, the app
>works
>>> fine.
>>>>
>>>> Any thoughts on the problem?
>>>
>>> Could you check which of the two changes in the patch causes the issue?
>>
>> The first change is the one that causes the issue with the Android app.
>> In src/libcharon/sa/ike_sa.c:
>> This code segment works:
>>                 /* update our address in any case */
>>                 if (!me->equals(me, this->my_host))
>>                 {
>> ...
>> This code segment doesn't work:
>>                 /* update our address in any case */
>>                 if (force && !me->equals(me, this->my_host))
>> ...
>
>I see.  The problem is in fact that multiple interfaces on your device
>are up and have IP addresses installed on them.
>
>> 10.184.214.218 is the external interface (cellular data). Notice the
>> "sending packet: from 192.168.157.1[38661]" - that is not the
>> external interface.  I think it's one of the USB interfaces.
>> 10.184.214.218 is the external interface on the Android phone. Could
>> that be part of the problem?  54.242.XXX.YY is the internet-facing IP
>> of the gateway, but the gateway sees its own address as
>> 10.214.xxx.yy.
>
>The default network interface on Linux does a route lookup to determine
>the proper source address.  On Android the kernel interface, so far,
>simply determined the first usable IP address and returned that (i.e.
>the first address on the first interface that's up and not 'lo' or a TUN
>device).  This worked pretty well in my tests.  And before the above
>commit it also worked in situations where the wrong IP was chosen at
>first.  Because when charon later saw the correct IP when it received
>the response from the gateway it was able to update the address.  With
>the above commit this auto-fix is not happening anymore.
>
>I now refactored the app so that it uses the kernel-netlink plugin with
>its more complex route lookup/source address selection algorithm.  Could
>you please try if the code in the android-kernel branch [1] fixes the
>issue on your device?
>
>Thanks,
>Tobias
>
>[1]
>http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/androi
>d-kernel

More information about the Dev mailing list