[strongSwan-dev] Regression in latest version of android client

Alexander Sbitnev alexander.sbitnev at gmail.com
Sat Nov 15 21:47:08 CET 2014


   Just recently found there is a new version of Android client released 
by Tobias.
It is really fixes some problems with 1.4.0's version inability to 
handle certificate based auth in IKEv1 mode (manually forced by me in 
source code).
At the same time I've found new issue (affecting both standard IKEv2 and 
my custom IKEv1 modes). Negotiation itself working like charm.
But after phase 1 and 2, there is a problem with virtual tunnel setup. 
Tunnel interface itself is going up with correct ip address.
But there is no route and judging from log iptables rules also failed to 
be installed.
My test system is android 5.0 x86 emulator and 1.4.0 client works fine 
at the same environment. So I suppose possible regression is in new code.
I will try to investigate this problem in detail. Just reporting it first.

Down bellow is relevant log part (at least I hope so) and some diagnostic:

root at generic_x86:/ # /data/busybox ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc pfifo_fast 
qlen 1000
     link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
     inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
     inet6 fe80::5054:ff:fe12:3456/64 scope link
        valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast qlen 500
     link/[65534]
     inet 192.168.254.157/32 scope global tun0
root at generic_x86:/ # /data/busybox ip route
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0  src 10.0.2.15
root at generic_x86:/ #


I/charon  ( 2345): 12[IKE] installing new virtual IP 192.168.254.157
I/charon  ( 2345): 12[IKE] CHILD_SA android{1} established with SPIs 
58f4271c_i f3bf9919_o and TS 192.168.254.157/32 === 0.0.0.0/0
I/charon  ( 2345): 12[DMN] setting up TUN device for CHILD_SA android{1}
D/Vpn     ( 1116): setting state=CONNECTING, reason=establish
D/VpnJni  ( 1116): Address added on tun0: 192.168.254.157/32
D/ConnectivityService( 1116): registerNetworkAgent NetworkAgentInfo{ 
ni{[type: VPN[], state: CONNECTED/CONNECTED, reason: (unspecified), 
extra: (none), roaming: false, failover: false, isAvailable: true, 
isConnectedToProvisioningNetwork: false]}  network{null} 
lp{{InterfaceName: tun0 LinkAddresses: [192.168.254.157/32,] Routes: 
[0.0.0.0/1 -> 0.0.0.0 tun0,128.0.0.0/1 -> 0.0.0.0 tun0,::/0 
unreachable,] DnsAddresses: [] Domains:  MTU: 0}}  nc{[ Transports: VPN 
Capabilities: NOT_RESTRICTED&TRUSTED]}  Score{0} validated{false} 
created{false} explicitlySelected{false} }
I/Vpn     ( 1116): Established by org.strongswan.android on tun0
D/ConnectivityService( 1116): NetworkAgentInfo [VPN () - 102] 
EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
I/charon  ( 2345): 12[DMN] successfully created TUN device
I/charon  ( 2345): 12[IKE] received AUTH_LIFETIME of 3414s, scheduling 
reauthentication in 2814s
I/charon  ( 2345): 12[IKE] peer supports MOBIKE
D/ConnectivityService( 1116): Adding iface tun0 to network 102
W/iptables( 2396): type=1400 audit(0.0:29): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:30): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:31): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:32): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=0
W/iptables( 2396): type=1400 audit(0.0:33): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=0
I/iptables(  944): iptables: No chain/target/match by that name.
I/iptables(  944): iptables terminated by exit(1)
E/Netd    (  944): exec() res=0, status=256 for /system/bin/iptables -t 
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
W/ip6tables( 2397): type=1400 audit(0.0:34): avc: denied { 
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0 
tcontext=u:r:kernel:s0 tclass=system permissive=0
W/ip6tables( 2397): type=1400 audit(0.0:35): avc: denied { 
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0 
tcontext=u:r:kernel:s0 tclass=system permissive=0
W/ip6tables( 2397): type=1400 audit(0.0:36): avc: denied { 
module_request } for kmod="ip6t_MARK" scontext=u:r:netd:s0 
tcontext=u:r:kernel:s0 tclass=system permissive=0
I/ip6tables(  944): ip6tables: No chain/target/match by that name.
W/InputMethodManagerService( 1116): Window already focused, ignoring 
focus gain of: 
com.android.internal.view.IInputMethodClient$Stub$Proxy at 3eff0931 
attribute=null, token = android.os.BinderProxy at 2baf87bf
I/ip6tables(  944): ip6tables terminated by exit(1)
E/Netd    (  944): exec() res=0, status=256 for /system/bin/ip6tables -t 
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
E/Netd    (  944): failed to change iptables rule that sets incoming 
packet mark
E/Netd    (  944): failed to add interface tun0 to VPN netId 102
E/ConnectivityService( 1116): Exception adding interface: 
java.lang.IllegalStateException: command '30 network interface add 102 
tun0' failed with '400 30 addInterfaceToNetwork() failed (Remote I/O error)'
E/ConnectivityService( 1116): Unexpected mtu value: 0, tun0
D/ConnectivityService( 1116): Adding Route [0.0.0.0/1 -> 0.0.0.0 tun0] 
to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): Exception in addRoute for non-gateway: 
java.lang.IllegalStateException: command '31 network route add 102 tun0 
0.0.0.0/1' failed with '400 31 addRoute() failed (No such device)'
D/ConnectivityService( 1116): Adding Route [128.0.0.0/1 -> 0.0.0.0 tun0] 
to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): Exception in addRoute for non-gateway: 
java.lang.IllegalStateException: command '32 network route add 102 tun0 
128.0.0.0/1' failed with '400 32 addRoute() failed (No such device)'
D/ConnectivityService( 1116): Adding Route [::/0 unreachable] to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1116): no dns provided for netId 102, so using 
defaults
D/ConnectivityService( 1116): Setting Dns servers for network 102 to 
[/8.8.8.8]
D/Nat464Xlat( 1116): requiresClat: netType=17, connected=true, 
hasIPv4Address=true
D/ConnectivityService( 1116): notifyType IP_CHANGED for NetworkAgentInfo 
[VPN () - 102]
D/ConnectivityService( 1116): notifyType PRECHECK for NetworkAgentInfo 
[VPN () - 102]
D/ConnectivityService( 1116): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): notifyType AVAILABLE for NetworkAgentInfo 
[VPN () - 102]
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): DefaultState{ 
when=-1ms what=532481 
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): Connected
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): 
EvaluatingState{ when=0 what=532486 arg1=1 
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1116): Validated
D/ConnectivityManager.CallbackHandler( 1311): CM callback handler got 
msg 524290
D/ConnectivityService( 1116): Validated NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1116): notifyType AVAILABLE for NetworkAgentInfo 
[VPN () - 102]
D/ConnectivityManager.CallbackHandler( 1311): CM callback handler got 
msg 524290
I/charon  ( 2345): 14[IKE] sending keep alive to 192.168.100.1[4500]
I/charon  ( 2345): 15[IKE] sending keep alive to 192.168.100.1[4500]



More information about the Dev mailing list