IPSEC, Android 3.1



  • Hello!

    i have been trying to setup my first VPN ever the last few days and its been really hard but i think i have come a long way now…. but i have 2 problems left....

    my setup looks like this:
    Samsung Galaxy Pad 10.1 (Android 3.1) (Dynamic IP with a no-ip DDNS.) -> Internet -> WAN (Dynamic IP with a no-ip DDNS) -> PFSense 2.0-RC3 AMD x64 (todays build) -> HP ProCurve Switch (unmanaged) -> 192.168.0.0/24

    IPSec Phase2 set to "LAN SUBNET". Mobile Client 192.168.1.0/24.

    xxx.xxx.xxx.xxx = MY WAN IP

    $ cat /var/etc/racoon.conf
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
    	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    	isakmp xxx.xxx.xxx.xxx [500];
    	isakmp_natt xxx.xxx.xxx.xxx [4500];
    }
    
    mode_cfg
    {
    	auth_source system;
    	group_source system;
    	pool_size 253;
    	network4 192.168.1.1;
    	netmask4 255.255.255.0;
    	save_passwd on;
    }
    
    remote anonymous
    {
    	ph1id 1;
    	exchange_mode main;
    	my_identifier address xxx.xxx.xxx.xxx;
    
    	ike_frag on;
    	generate_policy = unique;
    	initial_contact = on;
    	nat_traversal = on;
    
    	support_proxy on;
    	proposal_check strict;
    	passive on;
    
    	proposal
    	{
    		authentication_method pre_shared_key;
    		encryption_algorithm aes 128;
    		hash_algorithm sha1;
    		dh_group 2;
    		lifetime time 106400 secs;
    	}
    }
    
    sainfo subnet 192.168.0.0/24 any anonymous
    {
    	remoteid 1;
    	encryption_algorithm aes 128;
    	authentication_algorithm hmac_sha1;
    
    	lifetime time 106400 secs;
    	compression_algorithm deflate;
    }
    

    xxx.xxx.xxx.xxx = MY WAN IP

    
    $ cat /var/etc/psk.txt
    mytablet	Password123
    yyy.no-ip.org	Password123
    yyy.yyy.yyy.yyy	Password123
    
    

    yyy = not my real no-ip.org adress
    yyy.yyy.yyy.yyy = Tablet Android 3.1 WAN IP

    
    Jul 14 22:43:54 	racoon: [Unknown Gateway/Dynamic]: DEBUG: 128 bytes from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500]
    Jul 14 22:43:54 	racoon: [Unknown Gateway/Dynamic]: DEBUG: sockname xxx.xxx.xxx.xxx[500]
    Jul 14 22:43:54 	racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet from xxx.xxx.xxx.xxx[500]
    Jul 14 22:43:54 	racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet to yyy.yyy.yyy.yyy[500]
    Jul 14 22:43:54 	racoon: [Unknown Gateway/Dynamic]: DEBUG: 1 times of 128 bytes message will be sent to yyy.yyy.yyy.yyy[500]
    
    

    xxx.xxx.xxx.xxx = PFSense WAN IP
    yyy.yyy.yyy.yyy = Tablet Android 3.1 WAN IP

    
    Jul 14 22:44:17 	racoon: DEBUG: getsainfo params: loc='xxx.xxx.xxx.xxx' rmt='yyy.yyy.yyy.yyy' peer='yyy.yyy.yyy.yyy' client='yyy.yyy.yyy.yyy' id=1
    Jul 14 22:44:17 	racoon: DEBUG: evaluating sainfo: loc='192.168.0.0/24', rmt='ANONYMOUS', peer='ANY', id=1
    Jul 14 22:44:17 	racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
    Jul 14 22:44:17 	racoon: DEBUG: cmpid target: 'xxx.xxx.xxx.xxx'
    Jul 14 22:44:17 	racoon: DEBUG: cmpid source: '192.168.0.0/24'
    Jul 14 22:44:17 	racoon: ERROR: failed to get sainfo.
    Jul 14 22:44:17 	racoon: ERROR: failed to get sainfo.
    Jul 14 22:44:17 	racoon: [yyy.yyy.yyy.yyy] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 14 22:44:17 	racoon: DEBUG: IV freed
    
    

    xxx.xxx.xxx.xxx = PFSense WAN IP
    yyy.yyy.yyy.yyy = Tablet Android 3.1 WAN IP

    anyone here got a clue what i have done wrong? as i said before this is my first VPN EVER.



  • is this because my tablet uses a 3g connection? and if so is there a way to work around it?



  • i think i just found something….

    $ cat /var/etc/spd.conf
    spdadd 192.168.0.1/32 192.168.0.0/24 any -P out none;
    spdadd 192.168.0.0/24 192.168.0.1/32 any -P in none;

    $ setkey -DP
    192.168.0.0/24[any] 192.168.0.1[any] 255
    in none
    spid=2 seq=1 pid=40194
    refcnt=1
    192.168.0.1[any] 192.168.0.0/24[any] 255
    out none
    spid=1 seq=0 pid=40194
    refcnt=1

    is this really correct?????


  • Rebel Alliance Developer Netgate



  • yeah… i followed that guide like it was a bible... i cant get my galaxy pad 10.1 or my HTC Desire (with 2.3.3 android) to work with that....




Locked