[strongSwan-dev] Regression in latest version of android client
Alexander Sbitnev
alexander.sbitnev at gmail.com
Sat Nov 15 21:47:08 CET 2014
Just recently found there is a new version of Android client released
by Tobias.
It is really fixes some problems with 1.4.0's version inability to
handle certificate based auth in IKEv1 mode (manually forced by me in
source code).
At the same time I've found new issue (affecting both standard IKEv2 and
my custom IKEv1 modes). Negotiation itself working like charm.
But after phase 1 and 2, there is a problem with virtual tunnel setup.
Tunnel interface itself is going up with correct ip address.
But there is no route and judging from log iptables rules also failed to
be installed.
My test system is android 5.0 x86 emulator and 1.4.0 client works fine
at the same environment. So I suppose possible regression is in new code.
I will try to investigate this problem in detail. Just reporting it first.
Down bellow is relevant log part (at least I hope so) and some diagnostic:
root at generic_x86:/ # /data/busybox ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc pfifo_fast
qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
inet6 fe80::5054:ff:fe12:3456/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast qlen 500
link/[65534]
inet 192.168.254.157/32 scope global tun0
root at generic_x86:/ # /data/busybox ip route
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 src 10.0.2.15
root at generic_x86:/ #
I/charon ( 2345): 12[IKE] installing new virtual IP 192.168.254.157
I/charon ( 2345): 12[IKE] CHILD_SA android{1} established with SPIs
58f4271c_i f3bf9919_o and TS 192.168.254.157/32 === 0.0.0.0/0
I/charon ( 2345): 12[DMN] setting up TUN device for CHILD_SA android{1}
D/Vpn ( 1116): setting state=CONNECTING, reason=establish
D/VpnJni ( 1116): Address added on tun0: 192.168.254.157/32
D/ConnectivityService( 1116): registerNetworkAgent NetworkAgentInfo{
ni{[type: VPN[], state: CONNECTED/CONNECTED, reason: (unspecified),
extra: (none), roaming: false, failover: false, isAvailable: true,
isConnectedToProvisioningNetwork: false]} network{null}
lp{{InterfaceName: tun0 LinkAddresses: [192.168.254.157/32,] Routes:
[0.0.0.0/1 -> 0.0.0.0 tun0,128.0.0.0/1 -> 0.0.0.0 tun0,::/0
unreachable,] DnsAddresses: [] Domains: MTU: 0}} nc{[ Transports: VPN
Capabilities: NOT_RESTRICTED&TRUSTED]} Score{0} validated{false}
created{false} explicitlySelected{false} }
I/Vpn ( 1116): Established by org.strongswan.android on tun0
D/ConnectivityService( 1116): NetworkAgentInfo [VPN () - 102]
EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
I/charon ( 2345): 12[DMN] successfully created TUN device
I/charon ( 2345): 12[IKE] received AUTH_LIFETIME of 3414s, scheduling
reauthentication in 2814s
I/charon ( 2345): 12[IKE] peer supports MOBIKE
D/ConnectivityService( 1116): Adding iface tun0 to network 102
W/iptables( 2396): type=1400 audit(0.0:29): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:30): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:31): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:32): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:33): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=0
I/iptables( 944): iptables: No chain/target/match by that name.
I/iptables( 944): iptables terminated by exit(1)
E/Netd ( 944): exec() res=0, status=256 for /system/bin/iptables -t
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
W/ip6tables( 2397): type=1400 audit(0.0:34): avc: denied {
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0
tcontext=u:r:kernel:s0 tclass=system permissive=0
W/ip6tables( 2397): type=1400 audit(0.0:35): avc: denied {
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0
tcontext=u:r:kernel:s0 tclass=system permissive=0
W/ip6tables( 2397): type=1400 audit(0.0:36): avc: denied {
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0
tcontext=u:r:kernel:s0 tclass=system permissive=0
I/ip6tables( 944): ip6tables: No chain/target/match by that name.
W/InputMethodManagerService( 1116): Window already focused, ignoring
focus gain of:
com.android.internal.view.IInputMethodClient$Stub$Proxy at 3eff0931
attribute=null, token = android.os.BinderProxy at 2baf87bf
I/ip6tables( 944): ip6tables terminated by exit(1)
E/Netd ( 944): exec() res=0, status=256 for /system/bin/ip6tables -t
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
E/Netd ( 944): failed to change iptables rule that sets incoming
packet mark
E/Netd ( 944): failed to add interface tun0 to VPN netId 102
E/ConnectivityService( 1116): Exception adding interface:
java.lang.IllegalStateException: command '30 network interface add 102
tun0' failed with '400 30 addInterfaceToNetwork() failed (Remote I/O error)'
E/ConnectivityService( 1116): Unexpected mtu value: 0, tun0
D/ConnectivityService( 1116): Adding Route [0.0.0.0/1 -> 0.0.0.0 tun0]
to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): Exception in addRoute for non-gateway:
java.lang.IllegalStateException: command '31 network route add 102 tun0
0.0.0.0/1' failed with '400 31 addRoute() failed (No such device)'
D/ConnectivityService( 1116): Adding Route [128.0.0.0/1 -> 0.0.0.0 tun0]
to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): Exception in addRoute for non-gateway:
java.lang.IllegalStateException: command '32 network route add 102 tun0
128.0.0.0/1' failed with '400 32 addRoute() failed (No such device)'
D/ConnectivityService( 1116): Adding Route [::/0 unreachable] to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): no dns provided for netId 102, so using
defaults
D/ConnectivityService( 1116): Setting Dns servers for network 102 to
[/8.8.8.8]
D/Nat464Xlat( 1116): requiresClat: netType=17, connected=true,
hasIPv4Address=true
D/ConnectivityService( 1116): notifyType IP_CHANGED for NetworkAgentInfo
[VPN () - 102]
D/ConnectivityService( 1116): notifyType PRECHECK for NetworkAgentInfo
[VPN () - 102]
D/ConnectivityService( 1116): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): notifyType AVAILABLE for NetworkAgentInfo
[VPN () - 102]
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): DefaultState{
when=-1ms what=532481
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): Connected
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116):
EvaluatingState{ when=0 what=532486 arg1=1
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): Validated
D/ConnectivityManager.CallbackHandler( 1311): CM callback handler got
msg 524290
D/ConnectivityService( 1116): Validated NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): notifyType AVAILABLE for NetworkAgentInfo
[VPN () - 102]
D/ConnectivityManager.CallbackHandler( 1311): CM callback handler got
msg 524290
I/charon ( 2345): 14[IKE] sending keep alive to 192.168.100.1[4500]
I/charon ( 2345): 15[IKE] sending keep alive to 192.168.100.1[4500]
More information about the Dev
mailing list