[strongSwan-dev] Regression in latest version of android client

Alexander Sbitnev alexander.sbitnev at gmail.com
Thu Nov 27 11:57:29 CET 2014 

   The only thing I can add right now that it is not SE Linux limitation.
Turning it off helps with some iptables oriented errors for me but still 
no help with creating of tunnel interface.
A lot of mysteries there. I've started client from Eclipse and got error 
like you, and client report error.
After that I've restarted emulator, manually started client from android 
itself and got different kind of errors.

I/charon  ( 2061): 07[IKE] CHILD_SA android{1} established with SPIs 
feb7a1c0_i f5ab1d86_o and TS 192.168.254.195/32 === 0.0.0.0/0
I/charon  ( 2061): 07[DMN] setting up TUN device for CHILD_SA android{1}
D/Vpn     ( 1140): setting state=CONNECTING, reason=establish
D/VpnJni  ( 1140): Address added on tun0: 192.168.254.195/32
D/ConnectivityService( 1140): registerNetworkAgent NetworkAgentInfo{ 
ni{[type: VPN[], state: CONNECTED/CONNECTED, reason: (unspecified), 
extra: (none), roaming: false, failover: false, isAvailable: true, 
isConnectedToProvisioningNetwork: false]}  network{null}  
lp{{InterfaceName: tun0 LinkAddresses: [192.168.254.195/32,]  Routes: 
[0.0.0.0/1 -> 0.0.0.0 tun0,128.0.0.0/1 -> 0.0.0.0 tun0,::/0 
unreachable,] DnsAddresses: [] Domains:  MTU: 0}}  nc{[ Transports: VPN 
Capabilities: NOT_RESTRICTED&TRUSTED]}  Score{0} validated{false} 
created{false} explicitlySelected{false} }
I/Vpn     ( 1140): Established by org.strongswan.android on tun0
D/ConnectivityService( 1140): NetworkAgentInfo [VPN () - 102] 
EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
I/charon  ( 2061): 07[DMN] successfully created TUN device
I/charon  ( 2061): 07[ENC] generating QUICK_MODE request 1314563190 [ HASH ]
I/charon  ( 2061): 07[NET] sending packet: from 10.0.2.15[51378] to 
192.168.100.1[4500] (60 bytes)
D/ConnectivityService( 1140): Adding iface tun0 to network 102
I/iptables( 2100): type=1400 audit(0.0:30): avc: denied { module_request 
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0 
tclass=system permissive=1
I/iptables(  944): iptables: No chain/target/match by that name.
I/iptables(  944): iptables terminated by exit(1)
E/Netd    (  944): exec() res=0, status=256 for /system/bin/iptables -t 
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
I/ip6tables(  944): ip6tables: No chain/target/match by that name.
I/ip6tables(  944): ip6tables terminated by exit(1)
E/Netd    (  944): exec() res=0, status=256 for /system/bin/ip6tables -t 
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
E/Netd    (  944): failed to change iptables rule that sets incoming 
packet mark
E/Netd    (  944): failed to add interface tun0 to VPN netId 102
E/ConnectivityService( 1140): Exception adding interface: 
java.lang.IllegalStateException: command '27 network interface add 102 
tun0' failed with '400 27 addInterfaceToNetwork() failed (Remote I/O error)'
E/ConnectivityService( 1140): Unexpected mtu value: 0, tun0
D/ConnectivityService( 1140): Adding Route [0.0.0.0/1 -> 0.0.0.0 tun0] 
to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): Exception in addRoute for non-gateway: 
java.lang.IllegalStateException: command '28 network route add 102 tun0 
0.0.0.0/1' failed with '400 28 addRoute() failed (No such device)'
D/ConnectivityService( 1140): Adding Route [128.0.0.0/1 -> 0.0.0.0 tun0] 
to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): Exception in addRoute for non-gateway: 
java.lang.IllegalStateException: command '29 network route add 102 tun0 
128.0.0.0/1' failed with '400 29 addRoute() failed (No such device)'
D/ConnectivityService( 1140): Adding Route [::/0 unreachable] to network 102
E/Netd    (  944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): no dns provided for netId 102, so using 
defaults
D/ConnectivityService( 1140): Setting Dns servers for network 102 to 
[/8.8.8.8]
D/Nat464Xlat( 1140): requiresClat: netType=17, connected=true, 
hasIPv4Address=true
D/ConnectivityService( 1140): notifyType IP_CHANGED for NetworkAgentInfo 
[VPN () - 102]
D/ConnectivityService( 1140): notifyType PRECHECK for NetworkAgentInfo 
[VPN () - 102]
D/ConnectivityService( 1140): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): notifyType AVAILABLE for NetworkAgentInfo 
[VPN () - 102]
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): DefaultState{ 
when=0 what=532481 target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): Connected
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): 
EvaluatingState{ when=0 what=532486 arg1=1 
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): Validated
D/ConnectivityManager.CallbackHandler( 1314): CM callback handler got 
msg 524290
D/ConnectivityService( 1140): Validated NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): notifyType AVAILABLE for NetworkAgentInfo 
[VPN () - 102]

Errors like in my first message. And client turns green like everything 
is ok with the tunnel.
Tunnel interface itself actually created. Routes are the ones who failed 
to install.
I've tried to create routes manually with "ip route" from busybox and it 
works.

root at generic_x86:/data # ./busybox ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc pfifo_fast 
qlen 1000
     link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
     inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
     inet6 fe80::5054:ff:fe12:3456/64 scope link
        valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
4: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast qlen 500
     link/[65534]
     inet 192.168.254.195/32 scope global tun0
root at generic_x86:/data # ./busybox ip route
0.0.0.0/1 dev tun0
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0  src 10.0.2.15
128.0.0.0/1 dev tun0
root at generic_x86:/data # ./busybox ip route add 192.168.100.1 via 
10.0.2.2 dev eth0
root at generic_x86:/data # ./busybox ip route add 128.0.0.0/1 dev tun0
root at generic_x86:/data # ./busybox ip route add 0.0.0.0/1 dev tun0
root at generic_x86:/data # ./busybox ip route
0.0.0.0/1 dev tun0
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0  src 10.0.2.15
128.0.0.0/1 dev tun0
192.168.100.1 via 10.0.2.2 dev eth0
root at generic_x86:/data # ping 192.168.254.2
PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
64 bytes from 192.168.254.2: icmp_seq=1 ttl=63 time=3.19 ms
64 bytes from 192.168.254.2: icmp_seq=2 ttl=63 time=4.19 ms
64 bytes from 192.168.254.2: icmp_seq=3 ttl=63 time=3.67 ms
64 bytes from 192.168.254.2: icmp_seq=4 ttl=63 time=3.09 ms

It is looking like my emulator miss some kernel modules. Actually i 
think it miss all the modules. Can't find single one of it.
Some of iptables functionality built-in into kernel. But some other 
doesn't.


On 11/26/2014 11:04 PM, Sam Johnson wrote:
> I have run into a similar situation while running 1.4 on Android 5.0. 
> I have it running on a physical device (nexus 4) and I run into an 
> error where it fails to build the tunnel:
>
>
> 11-26 15:02:14.772: I/charon(28997): 04[DMN] setting up TUN device for 
> CHILD_SA android{1}
> 11-26 15:02:14.799: I/charon(28997): 04[LIB] builder: failed to build 
> TUN device
> 11-26 15:02:14.799: I/charon(28997): 04[DMN] failed to setup TUN device
>
> It connects fine on my KitKat device but it seems that something must 
> have changed with Android 5.0. Any insight would be great. Would love 
> to help in anyway I can to get this working.
>
> Best,
>
> Sam
>

More information about the Dev mailing list