Ipsec, Android 2.1 and Virgin Mobile

salmonbaytech

Has anyone had any success with IPSec VPN connect from a droid?

It looks like it almost works, but the phone says no but some SAD entires are create on the IPsec status page.

my error logs, from my google in think it may be a NAT-T issue but i'm no IPSec expert.


Nov 15 10:15:13	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: IP REMOVED[500]<=>66.87.25.88[37789]
Nov 15 10:15:13	racoon: INFO: begin Identity Protection mode.
Nov 15 10:15:13	racoon: INFO: received Vendor ID: RFC 3947
Nov 15 10:15:13	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 15 10:15:13	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 15 10:15:13	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Nov 15 10:15:13	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Nov 15 10:15:14	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established IP REMOVED[500]-66.87.25.88[37789] spi:bbefc0a7c4cbb9c1:b304576f64db7392
Nov 15 10:15:14	racoon: INFO: generated policy, deleting it.
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: IP REMOVED[0]<=>66.87.25.88[0]
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 28.219.203.88/32[0] 173.160.148.149/32[1701] proto=udp dir=in
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 66.87.25.88[0]->IP REMOVED[0] spi=141795897(0x873a239)
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP IP REMOVED[0]->66.87.25.88[0] spi=52812449(0x325daa1)
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "28.219.203.88/32[0] IP REMOVED/32[1701] proto=udp dir=in"
Nov 15 10:15:15	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "IP REMOVED/32[1701] 28.219.203.88/32[0] proto=udp dir=out"

Any thoughts appreciated.
Thanks,
Erin

salmonbaytech

Talked with jim-p in IRC.

The GUI does not configure the IPSec/L2TP. So this is currently a now go.

Jim shared this link with me.
http://www.liuchuan.org/cuhk/l2tp_ipsec.html

I found this rather interesting link.
http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server#Racoon_conf_for_Android_L2TP.2FIPSEC

Maybe that will point someone in the right direction. I'm very willing to test this, so any Dev's that wants to work on this just post or PM and I will get back to you.

jimp

We have an open ticket for this:
http://redmine.pfsense.org/issues/475

Hopefully the sample configs will lead to a working setup on 2.0.

For now I use plain L2TP to connect back to my 2.0 setups from my Droid X and it works.

See also:
http://doc.pfsense.org/index.php/Android_VPN_Connectivity

salmonbaytech

My Samsung Intercept(Android 2.1) does not connect in any way to PF Sense. Version 1.2.3 or 2.0 Beta4.

Tried PPTP with both version and a no go, looking at logs communication is happening but no connection.
Tried IPSec and that was working, but failing on the L2TP step, again logs show L2PT communication but no connection.
Tried L2TP, logs showed communication but it failed also.

Can post logs if that would be useful.

Thanks,
Erin

jimp

Did you add firewall rules to the L2TP interface after turning on L2TP?

If you can connect but not transmit data, that is likely the problem (same with PPTP on 2.0)

1.2.3 doesn't work with any connection type that I tried.

salmonbaytech

@jimp:

Did you add firewall rules to the L2TP interface after turning on L2TP?

If you can connect but not transmit data, that is likely the problem (same with PPTP on 2.0)

1.2.3 doesn't work with any connection type that I tried.

My Firewall rules where setup to pass all, nothing is being blocked by the rules.

The Android Phone says the connection failed. (PPTP, L2TP)

I tried m0n0wall 1.3.2 for the PPTP connection and that did not work either (not supper relevant but may be save someone else the time of testing that)