Project

General

Profile

Issue #695

StrongSwan Android: failed to setup up TUN device without DNS

Added by Alexandre Rico about 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.2.0
Resolution:
Duplicate

Description

Hi,

I'm currently testing the strongswan android application, it work's fine but it one case the apps crash the smartphone network.

I connect the VPN and when it is, I cut the connection on the server side, (more or less ipsec stop). When I do this the apps show error message (Unspecified failure while connecting) and goes on "No active VPN" status.
But the VpnDialog and VpnService is still there, and I can't even disconnecte or stop it. If I uninstall the apps, it still be there. The problem is that I can't use my smartphone because all the network is configured like the VPN is connected but in fact the server is down. I have to reboot the smarphone.

The smartphone is a Galaxy S4 Android 4.4.2, with no SIM card, only Wifi.

On a other smartphone: Nexus 5 Android 4.4.4, with no SIM card, only Wifi, the apps does not make the bug.

On a Galaxy Tab Android 4.2.2, with no SIM card, only Wifi, the works fine too.

This is the log and furthermore the exception trace:

00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc
00[LIB] unable to load 9 plugin features (9 due to unmet dependencies)
00[JOB] spawning 16 worker threads
08[CFG] loaded user certificate 'C=FR, O=*******, CN=arico66@*******.fr, S=test2, G=test2, UID=VswluFjSz92H' and private key
08[CFG] loaded CA certificate 'C=FR, O=*******, CN=******* CA'
08[IKE] initiating IKE_SA android1 to 192.168.50.110
08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
08[NET] sending packet: from 192.168.2.2660463 to 192.168.50.110500 (988 bytes)
11[IKE] retransmit 1 of request with message ID 0
11[NET] sending packet: from 192.168.2.2660463 to 192.168.50.110500 (988 bytes)
12[IKE] retransmit 2 of request with message ID 0
12[NET] sending packet: from 192.168.2.2660463 to 192.168.50.110500 (988 bytes)
13[NET] received packet: from 192.168.50.110500 to 192.168.2.2660463 (440 bytes)
13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
13[IKE] local host is behind NAT, sending keep alives
13[IKE] sending cert request for "C=FR, O=*******, CN=******* CA"
13[IKE] authentication of 'C=FR, O=*******, CN=arico66@*******.fr, S=test2, G=test2, UID=VswluFjSz92H' (myself) with RSA signature successful
13[IKE] establishing CHILD_SA android
13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ AUTH CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
13[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (908 bytes)
14[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (1340 bytes)
14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH ]
14[IKE] received end entity cert "C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr"
14[CFG] using certificate "C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr"
14[CFG] using trusted ca certificate "C=FR, O=*******, CN=******* CA"
14[CFG] reached self-signed root ca with a path length of 0
14[IKE] authentication of 'C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr' with RSA signature successful
14[ENC] generating IKE_AUTH request 2 [ IDi ]
14[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (92 bytes)
15[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (92 bytes)
15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
15[IKE] server requested EAP_MD5 authentication (id 0x7A)
15[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
15[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (92 bytes)
16[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
16[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
16[IKE] EAP method EAP_MD5 succeeded, no MSK established
16[IKE] authentication of 'arico66@*******.fr' (myself) with EAP
16[ENC] generating IKE_AUTH request 4 [ AUTH ]
16[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (92 bytes)
09[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (252 bytes)
09[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
09[IKE] authentication of 'C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr' with EAP successful
09[IKE] IKE_SA android1 established between 192.168.2.26[arico66@*******.fr]...192.168.50.110[C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr]
09[IKE] scheduling rekeying in 35854s
09[IKE] maximum IKE_SA lifetime 36454s
09[IKE] installing new virtual IP 10.0.0.3
09[IKE] CHILD_SA android{1} established with SPIs a573557c_i c5c135d3_o and TS 10.0.0.3/32 === 0.0.0.0/0
09[DMN] setting up TUN device for CHILD_SA android{1}
09[DMN] successfully created TUN device
09[IKE] received AUTH_LIFETIME of 10062s, scheduling reauthentication in 9462s
09[IKE] peer supports MOBIKE
14[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
14[ENC] parsed INFORMATIONAL request 0 [ ]
14[ENC] generating INFORMATIONAL response 0 [ ]
14[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
09[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
09[ENC] parsed INFORMATIONAL request 1 [ ]
09[ENC] generating INFORMATIONAL response 1 [ ]
09[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
10[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
10[ENC] parsed INFORMATIONAL request 2 [ ]
10[ENC] generating INFORMATIONAL response 2 [ ]
10[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
11[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
11[ENC] parsed INFORMATIONAL request 3 [ ]
11[ENC] generating INFORMATIONAL response 3 [ ]
11[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
13[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
13[ENC] parsed INFORMATIONAL request 4 [ ]
13[ENC] generating INFORMATIONAL response 4 [ ]
13[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
14[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
14[ENC] parsed INFORMATIONAL request 5 [ ]
14[ENC] generating INFORMATIONAL response 5 [ ]
14[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
09[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
09[ENC] parsed INFORMATIONAL request 6 [ ]
09[ENC] generating INFORMATIONAL response 6 [ ]
09[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
08[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
08[ENC] parsed INFORMATIONAL request 7 [ ]
08[ENC] generating INFORMATIONAL response 7 [ ]
08[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
11[NET] received packet: from 192.168.50.1104500 to 192.168.2.2654460 (76 bytes)
11[ENC] parsed INFORMATIONAL request 8 [ D ]
11[IKE] received DELETE for IKE_SA android1
11[IKE] deleting IKE_SA android1 between 192.168.2.26[arico66@*******.fr]...192.168.50.110[C=FR, O=*******, CN=3HkQXViBmogVGjkIpHPYgA.devel.*******.fr]
11[DMN] setting up TUN device without DNS
W/System.err(5484): java.lang.IllegalStateException: command '44 interface fwmark uid add tun1 0 99999' failed with '400 44 Failed to add uid rule (Invalid argument)'
W/System.err(5484): at android.os.Parcel.readException(Parcel.java:1473)
W/System.err(5484): at android.os.Parcel.readException(Parcel.java:1419)
W/System.err(5484): at android.net.IConnectivityManager$Stub$Proxy.establishVpn(IConnectivityManager.java:1917)
W/System.err(5484): at android.net.VpnService$Builder.establish(VpnService.java:471)
W/System.err(5484): at org.strongswan.android.logic.CharonVpnService$BuilderAdapter.establishNoDns(CharonVpnService.java:659)
W/System.err(5484): at dalvik.system.NativeStart.run(Native Method)
11[LIB] builder: failed to build TUN device
11[DMN] failed to setup TUN device without DNS
18[LIB] resolving '3HkQXViBmogVGjkIpHPYgA.devel.*******.fr' failed: No address associated with hostname
11[IKE] installing new virtual IP 10.0.0.3
11[IKE] restarting CHILD_SA android
11[IKE] initiating IKE_SA android2 to 192.168.50.110
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[NET] sending packet: from 192.168.2.2660463 to 192.168.50.1104500 (988 bytes)
11[IKE] IKE_SA deleted
11[ENC] generating INFORMATIONAL response 8 [ ]
11[NET] sending packet: from 192.168.2.2654460 to 192.168.50.1104500 (76 bytes)
14[IKE] retransmit 1 of request with message ID 0
4[NET] sending packet: from 192.168.2.2660463 to 192.168.50.1104500 (988 bytes)
15[IKE] retransmit 2 of request with message ID 0
15[NET] sending packet: from 192.168.2.2660463 to 192.168.50.1104500 (988 bytes)
09[IKE] retransmit 3 of request with message ID 0
09[NET] sending packet: from 192.168.2.2660463 to 192.168.50.1104500 (988 bytes)
10[IKE] giving up after 3 retransmits
10[IKE] peer not responding, trying again (2/0)
10[IKE] initiating IKE_SA android2 to 192.168.50.110
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
10[NET] sending packet: from 192.168.2.2660463 to 192.168.50.1104500 (988 bytes)
00[IKE] destroying IKE_SA in state CONNECTING without notification

If you have any idea...


Related issues

Related to Issue #462: strongswan android app can not use on android 4.4 OS Feedback06.12.2013

History

#1 Updated by Tobias Brunner about 7 years ago

  • Related to Issue #462: strongswan android app can not use on android 4.4 OS added

#2 Updated by Tobias Brunner about 7 years ago

  • Tracker changed from Bug to Issue
  • Status changed from New to Feedback

The smartphone is a Galaxy S4 Android 4.4.2, with no SIM card, only Wifi.

While not an exact duplicate of #462, it is still caused by the same bug in Android 4.4 before 4.4.3. Refer to the related issues for more information.

#3 Updated by Alexandre Rico about 7 years ago

I'm trying the patch now.

#4 Updated by Alexandre Rico about 7 years ago

It seems to don't work. The same problem.

#5 Updated by Tobias Brunner about 6 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Duplicate

Also available in: Atom PDF