[strongSwan] Android Client - issue on long running connection

Andre Valentin avalentin at marcant.net
Sat Sep 21 01:18:52 CEST 2013

Am 20.09.2013 17:13, schrieb Tobias Brunner:
>> 09-19 09:11:30.810 I/charon  (12923): 16[DMN] failed to setup TUN device
> While the app is able to send and receive IKE messages it does not seem
> to be able to find the network interface that has its local address
> installed, which is the reason for the following two messages (and the
> reason why setting up the TUN device eventually fails):

Okay, I was unsure about this. I had in mind the the interface shouldn't 
change the state. But as always, in these cases I had not possibility to 
check if there still was the IP on that interface.

>> 09-19 09:11:30.805 I/charon  (12923): 16[IKE] looking up interface for virtual IP failed
> This problem occurs when the device switches network interfaces or IP
> addresses right before (or while) establishing an SA.

Yes, mostly when I walk around.

>> 09-19 09:11:29.845 I/charon  (12923): 14[NET] sending packet: from[49398] to X.Y.Z.65[4500] (648 bytes)
>> 09-19 09:11:30.030 I/charon  (12923): 15[NET] received packet: from X.Y.Z.65[4500] to[49398] (465 bytes)
> Here we see that the app believes its local address is
> when sending the IKE_SA_INIT request, but the response is then actually
> received on  This address is not automatically updated,
> partly because MOBIKE is enabled, but since [1] the local address is
> actually only rarely updated automatically.

Okay. I can't believe that I did not see this:-(

> The result can be seen in the IKE_AUTH request that is still sent from
> (the packet is not actually sent with that address in the
> header, as we don't set source addresses on Android, but it shows what
> the app thinks its local address is):
>> 09-19 09:11:30.400 I/charon  (12923): 15[NET] sending packet: from[49398] to X.Y.Z.65[4500] (1900 bytes)
> So when it comes to looking up an interface to install the virtual IP on
> (something not really used on Android, oh well), it uses not the
> actually active address but that old one instead, which, of course,
> fails as that address is gone by now.

Now I understand the background! Same as with SA's and src/dst routers.

> I pushed a fix that tries to counter this by finding a new source
> address when reestablishing an IKE_SA (previously the old addresses were
> reused - which is now just the fallback).  It might not fix the problem
> in all cases but should offer better recovery after failed retransmits.

That's very nice. Perhaps you could send me your 'beta' apk? My own 
build does not work reliable..

> By the way, the following error is unrelated to the connectivity issue
> and is caused by the GUI calling commit() on a FragmentTransaction when
> the Fragment is not actually shown.  A fixed version will be released
> next week.
>> 09-19 09:11:30.830 W/System.err(12923): java.lang.IllegalStateException: Can not perform this action after onSaveInstanceState

Thank you very much for your help. I cannot wait to test it;-)

Kind regards,

André Valentin

More information about the Users mailing list