VPN Android

BlackJack01090

Hello,

I'm try to connect an Android 2.1 Phone with pfsense over 3G+. I've read something about NAT-T because of the mobil provider. With PPTP I get no connection. With L2TP my phone says perhaps a problem with auth. Pfsense log says:

l2tps: Incoming L2TP packet from xyz 50672
l2tps: L2TP: Control connection 0x28613a04 terminated: 0 ()
l2tps: L2TP: Control connection 0x28613a04 destroyed

I have no idea for L2TP/IPSec. Is it posible to configure L2TP with IPSec in Pfsense? My phone supports PSK and Certs.

Greeting

BJ01090

adrianhensler

I tried briefly with my Android.

Got a valid connection (phone showed VPN connected) with L2TP, but then the traffic showed weird errors:

Jan 7 00:16:02 l2tp010.196.31.170:50746 123.123.123.123:443  TCP:FPA
Jan 7 00:16:00 l2tp010.196.31.170:56853 123.123.123.123:443  TCP:FPA
Jan 7 00:15:52 l2tp010.196.31.170:50746 123.123.123.123:443  TCP:FPA
Jan 7 00:15:52 l2tp010.196.31.170:47477 111.111.111.111:80    TCP:FA
Jan 7 00:15:51 l2tp010.196.31.170:56853 123.123.123.123:443  TCP:FPA

Obscured a real IP with 123.123.123.123 and another with 111.111.111.111.

Authentication seemed to work, but then the traffic seemed to be screwy.  I am sure this i something I did.

I could not get IPSec or PPTP to connect successfully.

IPSec returned  "ERROR: not acceptable Identity Protection mode".

PPTP returned:

Last 60 VPN log entries
Jan 7 00:13:28	pptps: pptp0: killing connection with 74.198.12.3 56718
Jan 7 00:13:28	pptps: pptp0: no reply to StopCtrlConnRequest after 3 sec
Jan 7 00:13:25	pptps: pptp0: closing connection with 74.198.12.3 56718
Jan 7 00:13:25	pptps: [pt0] LCP: state change Closed --> Initial
Jan 7 00:13:25	pptps: [pt0] LCP: Down event
Jan 7 00:13:25	pptps: [pt0] LCP: state change Stopped --> Closed
Jan 7 00:13:25	pptps: [pt0] LCP: Close event
Jan 7 00:13:25	pptps: [pt0] link: DOWN event
Jan 7 00:13:25	pptps: [pt0] PPTP call terminated
Jan 7 00:13:25	pptps: pptp0-0: killing channel
Jan 7 00:13:25	pptps: pptp0-0: clearing call
Jan 7 00:13:25	pptps: [pt0] LCP: LayerFinish
Jan 7 00:13:25	pptps: [pt0] LCP: state change Ack-Sent --> Stopped
Jan 7 00:13:25	pptps: [pt0] LCP: parameter negotiation failed
Jan 7 00:13:23	pptps: ACFCOMP
Jan 7 00:13:23	pptps: PROTOCOMP
Jan 7 00:13:23	pptps: MAGICNUM 33aa8726
Jan 7 00:13:23	pptps: ACCMAP 0x00000000
Jan 7 00:13:23	pptps: MRU 1400
Jan 7 00:13:23	pptps: [pt0] LCP: SendConfigAck #1

I think the "parameter negotiation failed" is the problem.

So no success for me from an Android 2.2 (Magic).  I may try again tomorrow when I have time to look up these errors and exactly what is supported for VPN on Android.

cmb

You see this?
http://doc.pfsense.org/index.php/Android_VPN_Connectivity

BlackJack01090

Thanks for the link. So PPTP an L2TP (without shared Key) should work. Is it possible when the phone is behind a NAT? And how to configure L2TP?

Greetings

BJ01090

–

I've tried L2TP with following settings:
Interface: WAN
Server adress: 192.168.102.250 (I also tried the external IP from WAN)
Remote adress range: 192.168.102.0
Subnet netmask: 23
Number of L2TP users: 5
Secret: not defined
Encryption type: CHAP

An got this:

Jan 7 12:57:36 	l2tps: Incoming L2TP packet from 92.116.154.122 36304
Jan 7 12:57:44 	l2tps: L2TP: Control connection 0x28613884 connected
Jan 7 12:57:44 	l2tps: L2TP: Incoming call #1266886248 via connection 0x28613884 received
Jan 7 12:57:44 	l2tps: [l2tp0] L2TP: Incoming call #1266886248 via control connection 0x28613884 accepted
Jan 7 12:57:44 	l2tps: [l2tp0] opening link "l2tp0"...
Jan 7 12:57:44 	l2tps: [l2tp0] link: OPEN event
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: Open event
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: state change Initial --> Starting
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: LayerStart
Jan 7 12:57:44 	l2tps: [l2tp0] L2TP: Call #1266886248 connected
Jan 7 12:57:44 	l2tps: [l2tp0] link: UP event
Jan 7 12:57:44 	l2tps: [l2tp0] link: origination is remote
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: Up event
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: state change Starting --> Req-Sent
Jan 7 12:57:44 	l2tps: [l2tp0] LCP: SendConfigReq #11
Jan 7 12:57:44 	l2tps: ACFCOMP
Jan 7 12:57:44 	l2tps: PROTOCOMP
Jan 7 12:57:44 	l2tps: MRU 1500
Jan 7 12:57:44 	l2tps: MAGICNUM d670890b
Jan 7 12:57:44 	l2tps: AUTHPROTO CHAP MD5
Jan 7 12:57:46 	l2tps: [l2tp0] LCP: SendConfigReq #12
Jan 7 12:57:46 	l2tps: ACFCOMP
Jan 7 12:57:46 	l2tps: PROTOCOMP
Jan 7 12:57:46 	l2tps: MRU 1500
Jan 7 12:57:46 	l2tps: MAGICNUM d670890b
Jan 7 12:57:46 	l2tps: AUTHPROTO CHAP MD5
Jan 7 12:57:48 	l2tps: [l2tp0] LCP: SendConfigReq #13
Jan 7 12:57:48 	l2tps: ACFCOMP
Jan 7 12:57:48 	l2tps: PROTOCOMP
Jan 7 12:57:48 	l2tps: MRU 1500
Jan 7 12:57:48 	l2tps: MAGICNUM d670890b
Jan 7 12:57:48 	l2tps: AUTHPROTO CHAP MD5
Jan 7 12:58:02 	l2tps: [l2tp0] LCP: SendConfigReq #20
Jan 7 12:58:02 	l2tps: ACFCOMP
Jan 7 12:58:02 	l2tps: PROTOCOMP
Jan 7 12:58:02 	l2tps: MRU 1500
Jan 7 12:58:02 	l2tps: MAGICNUM d670890b
Jan 7 12:58:02 	l2tps: AUTHPROTO CHAP MD5
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: parameter negotiation failed
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Req-Sent --> Stopped
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: LayerFinish
Jan 7 12:58:05 	l2tps: [l2tp0] link: DOWN event
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: Close event
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Stopped --> Closed
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: Down event
Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Closed --> Initial
Jan 7 12:58:05 	l2tps: [l2tp0] L2TP: Call #1266886248 terminated locally
Jan 7 12:58:05 	l2tps: L2TP: Control connection 0x28613884 terminated: 0 (no more sessions exist in this tunnel)
Jan 7 12:58:16 	l2tps: L2TP: Control connection 0x28613884 destroyed

PistolPete

@cmb:

You see this?
http://doc.pfsense.org/index.php/Android_VPN_Connectivity

This doesn't make sense.  My old 1.2.3  based router worked 100% with my Android phone over PPTP yet my 2.0 setup wont connect…

cyboc

@adrianhensler:

I could not get IPSec or PPTP to connect successfully.

IPSec returned  "ERROR: not acceptable Identity Protection mode".

I get the same error on an HTC Desire running Android 2.2. I think this is because the IPSec client on my HTC does not seem to have a field for configuring the identifier associated with the PSK on the "Pre-shared keys" tab in the IPSec config page in pfSense. On the phone, there is only a field for the PSK. Well, maybe I'm blind but I can't find the identifier field. Can anyone confirm that this is the cause of the message "ERROR: not acceptable Identity Protection mode"? If so, are there any workarounds that don't involve rooting the phone?

jimp

IPsec+L2TP won't work as things are right now, and probably won't work in 2.0.

The identifier is part of the problem, the phone always uses its IP address as its identifier, which is really a problem as there is no way to know the phone's IP ahead of time. The fix for this requires patching racoon to accept anonymous PSKs, which is a rather large security risk.

I haven't tried L2TP in a while but when I wrote the Android VPN doc for the wiki I had no trouble connecting to a router and surfing the web over an L2TP VPN.

I really wish someone could figure out how to do an OpenVPN client on Android without rooting. I'd pay good money for that. :-)

cyboc

Jimp,

Thanks for the comments. Would L2TP be preferred over PPTP? I noticed that the Android doc in the wiki says that both work.

I'm with you on the OpenVPN comment.

Joe

jimp

If you want encryption, PPTP with a looooong password. If you just want tunneling with no encryption, L2TP. That's why most people want L2TP+IPsec, IPsec encrypts the link between the router and the phone's public IP, L2TP provides the tunneling.

cyboc

I just tried PPTP and it seems to work fine. I used a long password and also a long, obscure user name.

I noticed that when you enable PPTP, it automatically creates a hidden firewall rule that allows connections from anywhere to the PPTP port (TCP 1723).

To try to limit brute-forcers, I added two additional firewall rules manually. First, I added another rule that is the same as the automatic rule (i.e. allow TCP 1723 from any) except it rate limits connections (i.e. maximum X new connections per Y seconds). Then I tried making several PPTP connections in a short period of time and the rate limit indeed seemed to work. (I wasn't sure if that manual rule would be hit before the automatic one but it seems that the manual rule is hit first, which is good.)

In addition, I added another manual rule to block PPTP connections during the evenings and wee hours of the morning. I put that rule above the other manual rule. I tested that rule and it seems to work. That is, when the schedule is in effect and I try to make a PPTP connection that rule gets hit before my other rule and the connection gets blocked, which is good.

Have I done enough to make PPTP reasonably secure? (I've only ever used OpenVPN or IPSec for VPNs)

jimp

Seems reasonable, though you may regret that one late night far away from the router when you need to get on the VPN from your phone :-)

The rate limiting enough is probably sufficient, especially if you don't have any other valid users besides your one with a long/obscure username and password.

cyboc

@jimp:

Seems reasonable, though you may regret that one late night far away from the router when you need to get on the VPN from your phone :-)

Good point, though I've always got the (slighty less convenient) option of using SSH with tunnels, which I don't have time-limited. :-)

I also carry my little netbook with an OpenVPN client almost everywhere I go. :-)

jimp

Sounds like a good plan then. Especially if you can tether/hotspot your phone and use the netbook.