VPN Android



  • Hello,

    I'm try to connect an Android 2.1 Phone with pfsense over 3G+. I've read something about NAT-T because of the mobil provider. With PPTP I get no connection. With L2TP my phone says perhaps a problem with auth. Pfsense log says:

    l2tps: Incoming L2TP packet from xyz 50672
    l2tps: L2TP: Control connection 0x28613a04 terminated: 0 ()
    l2tps: L2TP: Control connection 0x28613a04 destroyed

    I have no idea for L2TP/IPSec. Is it posible to configure L2TP with IPSec in Pfsense? My phone supports PSK and Certs.

    Greeting

    BJ01090



  • I tried briefly with my Android.

    Got a valid connection (phone showed VPN connected) with L2TP, but then the traffic showed weird errors:

    Jan 7 00:16:02 l2tp010.196.31.170:50746 123.123.123.123:443  TCP:FPA
    Jan 7 00:16:00 l2tp010.196.31.170:56853 123.123.123.123:443  TCP:FPA
    Jan 7 00:15:52 l2tp010.196.31.170:50746 123.123.123.123:443  TCP:FPA
    Jan 7 00:15:52 l2tp010.196.31.170:47477 111.111.111.111:80    TCP:FA
    Jan 7 00:15:51 l2tp010.196.31.170:56853 123.123.123.123:443  TCP:FPA

    Obscured a real IP with 123.123.123.123 and another with 111.111.111.111.

    Authentication seemed to work, but then the traffic seemed to be screwy.  I am sure this i something I did.

    I could not get IPSec or PPTP to connect successfully.

    IPSec returned  "ERROR: not acceptable Identity Protection mode".

    PPTP returned:

    
    Last 60 VPN log entries
    Jan 7 00:13:28	pptps: pptp0: killing connection with 74.198.12.3 56718
    Jan 7 00:13:28	pptps: pptp0: no reply to StopCtrlConnRequest after 3 sec
    Jan 7 00:13:25	pptps: pptp0: closing connection with 74.198.12.3 56718
    Jan 7 00:13:25	pptps: [pt0] LCP: state change Closed --> Initial
    Jan 7 00:13:25	pptps: [pt0] LCP: Down event
    Jan 7 00:13:25	pptps: [pt0] LCP: state change Stopped --> Closed
    Jan 7 00:13:25	pptps: [pt0] LCP: Close event
    Jan 7 00:13:25	pptps: [pt0] link: DOWN event
    Jan 7 00:13:25	pptps: [pt0] PPTP call terminated
    Jan 7 00:13:25	pptps: pptp0-0: killing channel
    Jan 7 00:13:25	pptps: pptp0-0: clearing call
    Jan 7 00:13:25	pptps: [pt0] LCP: LayerFinish
    Jan 7 00:13:25	pptps: [pt0] LCP: state change Ack-Sent --> Stopped
    Jan 7 00:13:25	pptps: [pt0] LCP: parameter negotiation failed
    Jan 7 00:13:23	pptps: ACFCOMP
    Jan 7 00:13:23	pptps: PROTOCOMP
    Jan 7 00:13:23	pptps: MAGICNUM 33aa8726
    Jan 7 00:13:23	pptps: ACCMAP 0x00000000
    Jan 7 00:13:23	pptps: MRU 1400
    Jan 7 00:13:23	pptps: [pt0] LCP: SendConfigAck #1
    

    I think the "parameter negotiation failed" is the problem.

    So no success for me from an Android 2.2 (Magic).  I may try again tomorrow when I have time to look up these errors and exactly what is supported for VPN on Android.





  • Thanks for the link. So PPTP an L2TP (without shared Key) should work. Is it possible when the phone is behind a NAT? And how to configure L2TP?

    Greetings

    BJ01090

    I've tried L2TP with following settings:
    Interface: WAN
    Server adress: 192.168.102.250 (I also tried the external IP from WAN)
    Remote adress range: 192.168.102.0
    Subnet netmask: 23
    Number of L2TP users: 5
    Secret: not defined
    Encryption type: CHAP

    An got this:

    
    Jan 7 12:57:36 	l2tps: Incoming L2TP packet from 92.116.154.122 36304
    Jan 7 12:57:44 	l2tps: L2TP: Control connection 0x28613884 connected
    Jan 7 12:57:44 	l2tps: L2TP: Incoming call #1266886248 via connection 0x28613884 received
    Jan 7 12:57:44 	l2tps: [l2tp0] L2TP: Incoming call #1266886248 via control connection 0x28613884 accepted
    Jan 7 12:57:44 	l2tps: [l2tp0] opening link "l2tp0"...
    Jan 7 12:57:44 	l2tps: [l2tp0] link: OPEN event
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: Open event
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: state change Initial --> Starting
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: LayerStart
    Jan 7 12:57:44 	l2tps: [l2tp0] L2TP: Call #1266886248 connected
    Jan 7 12:57:44 	l2tps: [l2tp0] link: UP event
    Jan 7 12:57:44 	l2tps: [l2tp0] link: origination is remote
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: Up event
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: state change Starting --> Req-Sent
    Jan 7 12:57:44 	l2tps: [l2tp0] LCP: SendConfigReq #11
    Jan 7 12:57:44 	l2tps: ACFCOMP
    Jan 7 12:57:44 	l2tps: PROTOCOMP
    Jan 7 12:57:44 	l2tps: MRU 1500
    Jan 7 12:57:44 	l2tps: MAGICNUM d670890b
    Jan 7 12:57:44 	l2tps: AUTHPROTO CHAP MD5
    Jan 7 12:57:46 	l2tps: [l2tp0] LCP: SendConfigReq #12
    Jan 7 12:57:46 	l2tps: ACFCOMP
    Jan 7 12:57:46 	l2tps: PROTOCOMP
    Jan 7 12:57:46 	l2tps: MRU 1500
    Jan 7 12:57:46 	l2tps: MAGICNUM d670890b
    Jan 7 12:57:46 	l2tps: AUTHPROTO CHAP MD5
    Jan 7 12:57:48 	l2tps: [l2tp0] LCP: SendConfigReq #13
    Jan 7 12:57:48 	l2tps: ACFCOMP
    Jan 7 12:57:48 	l2tps: PROTOCOMP
    Jan 7 12:57:48 	l2tps: MRU 1500
    Jan 7 12:57:48 	l2tps: MAGICNUM d670890b
    Jan 7 12:57:48 	l2tps: AUTHPROTO CHAP MD5
    Jan 7 12:58:02 	l2tps: [l2tp0] LCP: SendConfigReq #20
    Jan 7 12:58:02 	l2tps: ACFCOMP
    Jan 7 12:58:02 	l2tps: PROTOCOMP
    Jan 7 12:58:02 	l2tps: MRU 1500
    Jan 7 12:58:02 	l2tps: MAGICNUM d670890b
    Jan 7 12:58:02 	l2tps: AUTHPROTO CHAP MD5
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: parameter negotiation failed
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Req-Sent --> Stopped
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: LayerFinish
    Jan 7 12:58:05 	l2tps: [l2tp0] link: DOWN event
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: Close event
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Stopped --> Closed
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: Down event
    Jan 7 12:58:05 	l2tps: [l2tp0] LCP: state change Closed --> Initial
    Jan 7 12:58:05 	l2tps: [l2tp0] L2TP: Call #1266886248 terminated locally
    Jan 7 12:58:05 	l2tps: L2TP: Control connection 0x28613884 terminated: 0 (no more sessions exist in this tunnel)
    Jan 7 12:58:16 	l2tps: L2TP: Control connection 0x28613884 destroyed
    
    


  • @cmb:

    You see this?
    http://doc.pfsense.org/index.php/Android_VPN_Connectivity

    This doesn't make sense.  My old 1.2.3  based router worked 100% with my Android phone over PPTP yet my 2.0 setup wont connect…



  • @adrianhensler:

    I could not get IPSec or PPTP to connect successfully.

    IPSec returned  "ERROR: not acceptable Identity Protection mode".

    I get the same error on an HTC Desire running Android 2.2. I think this is because the IPSec client on my HTC does not seem to have a field for configuring the identifier associated with the PSK on the "Pre-shared keys" tab in the IPSec config page in pfSense. On the phone, there is only a field for the PSK. Well, maybe I'm blind but I can't find the identifier field. Can anyone confirm that this is the cause of the message "ERROR: not acceptable Identity Protection mode"? If so, are there any workarounds that don't involve rooting the phone?


  • Rebel Alliance Developer Netgate

    IPsec+L2TP won't work as things are right now, and probably won't work in 2.0.

    The identifier is part of the problem, the phone always uses its IP address as its identifier, which is really a problem as there is no way to know the phone's IP ahead of time. The fix for this requires patching racoon to accept anonymous PSKs, which is a rather large security risk.

    I haven't tried L2TP in a while but when I wrote the Android VPN doc for the wiki I had no trouble connecting to a router and surfing the web over an L2TP VPN.

    I really wish someone could figure out how to do an OpenVPN client on Android without rooting. I'd pay good money for that. :-)



  • Jimp,

    Thanks for the comments. Would L2TP be preferred over PPTP? I noticed that the Android doc in the wiki says that both work.

    I'm with you on the OpenVPN comment.

    Joe


  • Rebel Alliance Developer Netgate

    If you want encryption, PPTP with a looooong password. If you just want tunneling with no encryption, L2TP. That's why most people want L2TP+IPsec, IPsec encrypts the link between the router and the phone's public IP, L2TP provides the tunneling.



  • I just tried PPTP and it seems to work fine. I used a long password and also a long, obscure user name.

    I noticed that when you enable PPTP, it automatically creates a hidden firewall rule that allows connections from anywhere to the PPTP port (TCP 1723).

    To try to limit brute-forcers, I added two additional firewall rules manually. First, I added another rule that is the same as the automatic rule (i.e. allow TCP 1723 from any) except it rate limits connections (i.e. maximum X new connections per Y seconds). Then I tried making several PPTP connections in a short period of time and the rate limit indeed seemed to work. (I wasn't sure if that manual rule would be hit before the automatic one but it seems that the manual rule is hit first, which is good.)

    In addition, I added another manual rule to block PPTP connections during the evenings and wee hours of the morning. I put that rule above the other manual rule. I tested that rule and it seems to work. That is, when the schedule is in effect and I try to make a PPTP connection that rule gets hit before my other rule and the connection gets blocked, which is good.

    Have I done enough to make PPTP reasonably secure? (I've only ever used OpenVPN or IPSec for VPNs)


  • Rebel Alliance Developer Netgate

    Seems reasonable, though you may regret that one late night far away from the router when you need to get on the VPN from your phone :-)

    The rate limiting enough is probably sufficient, especially if you don't have any other valid users besides your one with a long/obscure username and password.



  • @jimp:

    Seems reasonable, though you may regret that one late night far away from the router when you need to get on the VPN from your phone :-)

    Good point, though I've always got the (slighty less convenient) option of using SSH with tunnels, which I don't have time-limited. :-)

    I also carry my little netbook with an OpenVPN client almost everywhere I go. :-)


  • Rebel Alliance Developer Netgate

    Sounds like a good plan then. Especially if you can tether/hotspot your phone and use the netbook.


Locked