[strongSwan-dev] Problem with Android VPN Client on Motorola DROID RAZR running Android 4.1.2

Peck, Michael A mpeck at mitre.org
Sun Mar 31 05:47:18 CEST 2013


Hello,

When I install the Android VPN client from the Google Play Store on my Motorola DROID RAZR running Android 4.1.2, I'm able to successfully establish a VPN connection, but packets are not being received.  When I ping the other endpoint from the phone, no ping reply is received on the phone.  Sniffing on the other endpoint (I can't easily sniff on this phone), I see the ESP packet come in and an ESP packet go back out (presumably containing the ping request and ping reply).  This problem doesn't seem to occur on my Galaxy Nexus running a recent AOSP version.

I compiled from source and had the same problem --- but I had been using a previous version of strongSwan with no issues.

So I went through the git log trying different source code builds.
Eventually I traced the problem to commit 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3
i.e. if I checkout master and run "git revert 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3", then build, the app works fine.
Any thoughts on the problem?

The log entry says:
commit 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3
Author: Martin Willi <martin at revosec.ch>
Date:   Fri Feb 22 14:55:03 2013 +0100

    Without MOBIKE, update remote host only if it is behind NAT

The source code diff:
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index ea15ff2..0157599 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -900,7 +900,7 @@ METHOD(ike_sa_t, update_hosts, void,
        else
        {
                /* update our address in any case */
-               if (!me->equals(me, this->my_host))
+               if (force && !me->equals(me, this->my_host))
                {
                        set_my_host(this, me->clone(me));
                        update = TRUE;
@@ -909,7 +909,8 @@ METHOD(ike_sa_t, update_hosts, void,
                if (!other->equals(other, this->other_host))
                {
                        /* update others address if we are NOT NATed */
-                       if (force || !has_condition(this, COND_NAT_HERE))
+                       if ((has_condition(this, COND_NAT_THERE) &&
+                                !has_condition(this, COND_NAT_HERE)) || force )
                        {
                                set_other_host(this, other->clone(other));
                                update = TRUE;

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130331/9163685a/attachment.html>


More information about the Dev mailing list