[strongSwan] Android Client - issue on long running connection
avalentin at marcant.net
Sat Sep 21 01:18:52 CEST 2013
Am 20.09.2013 17:13, schrieb Tobias Brunner:
>> 09-19 09:11:30.810 I/charon (12923): 16[DMN] failed to setup TUN device
> While the app is able to send and receive IKE messages it does not seem
> to be able to find the network interface that has its local address
> installed, which is the reason for the following two messages (and the
> reason why setting up the TUN device eventually fails):
Okay, I was unsure about this. I had in mind the the interface shouldn't
change the state. But as always, in these cases I had not possibility to
check if there still was the IP on that interface.
>> 09-19 09:11:30.805 I/charon (12923): 16[IKE] looking up interface for virtual IP 10.150.240.194 failed
> This problem occurs when the device switches network interfaces or IP
> addresses right before (or while) establishing an SA.
Yes, mostly when I walk around.
>> 09-19 09:11:29.845 I/charon (12923): 14[NET] sending packet: from 192.168.203.96 to X.Y.Z.65 (648 bytes)
>> 09-19 09:11:30.030 I/charon (12923): 15[NET] received packet: from X.Y.Z.65 to 10.27.3.195 (465 bytes)
> Here we see that the app believes its local address is 192.168.203.96
> when sending the IKE_SA_INIT request, but the response is then actually
> received on 10.27.3.195. This address is not automatically updated,
> partly because MOBIKE is enabled, but since  the local address is
> actually only rarely updated automatically.
Okay. I can't believe that I did not see this:-(
> The result can be seen in the IKE_AUTH request that is still sent from
> 192.168.203.96 (the packet is not actually sent with that address in the
> header, as we don't set source addresses on Android, but it shows what
> the app thinks its local address is):
>> 09-19 09:11:30.400 I/charon (12923): 15[NET] sending packet: from 192.168.203.96 to X.Y.Z.65 (1900 bytes)
> So when it comes to looking up an interface to install the virtual IP on
> (something not really used on Android, oh well), it uses not the
> actually active address but that old one instead, which, of course,
> fails as that address is gone by now.
Now I understand the background! Same as with SA's and src/dst routers.
> I pushed a fix that tries to counter this by finding a new source
> address when reestablishing an IKE_SA (previously the old addresses were
> reused - which is now just the fallback). It might not fix the problem
> in all cases but should offer better recovery after failed retransmits.
That's very nice. Perhaps you could send me your 'beta' apk? My own
build does not work reliable..
> By the way, the following error is unrelated to the connectivity issue
> and is caused by the GUI calling commit() on a FragmentTransaction when
> the Fragment is not actually shown. A fixed version will be released
> next week.
>> 09-19 09:11:30.830 W/System.err(12923): java.lang.IllegalStateException: Can not perform this action after onSaveInstanceState
Thank you very much for your help. I cannot wait to test it;-)
More information about the Users