Project

General

Profile

Issue #668

TUN overlapping in Android 4.4.2

Added by Lian Duan about 7 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Category:
android
Affected version:
5.2.0
Resolution:
Duplicate

Description

Hello,

There has been reports about StrongSwan causing system VPN interface failure when two TUN is open at the same time. The problem happens during reconnecting(IKE_SA is alive but CHILD_SA is down), java.lang.IllegalStateException: command '82 interface fwmark rule add tun0' failed with '400 82 Failed to add fwmark rule (No such device)' will be trigger, afterwards users are not able to revoke the VPN. This can not be recovered unless you reboot the system.

This is related a security behavior of strongswan to establish a new TUN before closing the old one to prevent traffic leaks. However, this trigger the bug in android 4.4.2. Although it's an android bug, I would suggest we make a workaround to fix it.

A dirty fix is provided, it will detects the version of android release, if it is android 4.4.2, it will close the old TUN before creating new one.

Related issues

https://wiki.strongswan.org/issues/462
https://wiki.strongswan.org/issues/473

Related Android issue

https://code.google.com/p/android/issues/detail?id=62410


Related issues

Is duplicate of Issue #462: strongswan android app can not use on android 4.4 OS Feedback06.12.2013
Has duplicate Issue #2290: Android client hangs when connection kicked by serverClosed

History

#1 Updated by Tobias Brunner about 7 years ago

  • Is duplicate of Issue #462: strongswan android app can not use on android 4.4 OS added

#2 Updated by Tobias Brunner about 7 years ago

  • Tracker changed from Bug to Issue
  • Category set to android
  • Status changed from New to Rejected
  • Assignee set to Tobias Brunner
  • Resolution changed from Fixed to Duplicate

This is related a security behavior of strongswan to establish a new TUN before closing the old one to prevent traffic leaks. However, this trigger the bug in android 4.4.2. Although it's an android bug, I would suggest we make a workaround to fix it.

Go ahead and apply this to your own personal build. But I won't release the app with such a "fix" applied, sorry.

#3 Updated by Max Kosmach about 6 years ago

Hi Tobias.

Do You plan to make another fix for this problem?
I have Lenovo P780 with Android 4.4.2 - same problem here:
Strongswan work some time only after phone reboot. After disconnect/reconnect strongswan does not work anymore with diag:
Aug 19 12:51:34 03[LIB] builder: failed to build TUN device
Aug 19 12:51:34 03[DMN] failed to setup TUN device

Lenovo does not have any plans to make another update for this phone and I don't know any workaround for this problem.

PS. Why traffic leaks when strongswan is disconnected is ok and traffic leaks when strongswan is in reconnecting state is not ok?

#4 Updated by Tobias Brunner about 6 years ago

Do You plan to make another fix for this problem?

No, I have no intention to provide hackish fixes for bugs in legacy Android versions.

Lenovo does not have any plans to make another update for this phone and I don't know any workaround for this problem.

You can try the patch and build your own version of the app.

PS. Why traffic leaks when strongswan is disconnected is ok and traffic leaks when strongswan is in reconnecting state is not ok?

If the VPN is not established the user is aware that traffic will be unprotected, but after connecting the user should be able to rely on the fact that no traffic is leaked until the connection is terminated again (a user might not be aware of the fact that the connection to the server was lost for a short time and the connection has to be reestablished, in particular, if the app is not running in the foreground). Basically, as long as the padlock is seen in the status area traffic should not be leaked.

#5 Updated by Tobias Brunner over 4 years ago

  • Has duplicate Issue #2290: Android client hangs when connection kicked by server added

#6 Updated by Sviatoslav Mikhailov over 4 years ago

No, I have no intention to provide hackish fixes for bugs in legacy Android versions.

If you're not going to make the application work on a particular Android version, then you shall warn user that his device is incompatible/not supported, don't you think so?

Why should I spend a day to test different versions, write an issue, and stumble into a two-year old problem that was already known, patch was already created, but your religion just didn't allow to neither apply the 'hack' nor inform the user before or right after the installation about these compatibility issues.

Requires Android
4.0.3 and up

You are just lying to users. And even "open source" is not a proper excuse for that. If you think that 4.4.2 is an old version that isn't worth maintaining - please change the system requirements accordingly.

Also available in: Atom PDF