Android VPN L2TP/IPSEC PSK Doesn't Connect

Question

I'm having trouble connecting my Android 2.3.5 phone to my Astaro box. I'm able connect Windows machines to Astaro using a preshared key just fine, but Android doesn't work. I'm running Astaro 8.302.

My network is as follows:
Modem (in bridged mode) --> Astaro Box

L2TP/IPSEC settings:
Interface: External
Authentication: Preshared key
Assign IP Address: IP Address Pool
Pool Network: VPN Pool (L2TP)

Firewall:
Source: VPN Pool (L2TP)
Service: Any
Destination: Internal Network

NAT Masquerading Rule:
VPN Pool (L2TP) --> External (Bottom position)

I know how to retrieve the logs, but I don't know enough to be able to diagnose the problem just by reading the logs. Does anyone have any suggestions on what I need to do?

Here's a copy of the IPSEC log from Astaro (Android IP is removed):


2012:05:07-08:32:24 sqlguy pppd-l2tp[23587]: rcvd [LCP TermReq id=0x8 "R_oD\000:6137: received Vendor ID payload [RFC 3947]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [FRAGMENTATION 80000000]

2012:05:07-08:32:48 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: responding to Main Mode from unknown peer :6137

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: NAT-Traversal: Result using RFC 3947: peer is NATed

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: Peer ID is ID_IPV4_ADDR: '10.247.1.177'

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6137 #21: deleting connection "S_REF_IpsL2t1_1"[9] instance with peer  {isakmp=#0/ipsec=#0}

2012:05:07-08:32:49 sqlguy pluto[15886]: | NAT-T: new mapping :6137/6131)

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6131 #21: sent MR3, ISAKMP SA established

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6131 #21: ignoring informational payload, type IPSEC_INITIAL_CONTACT

2012:05:07-08:32:50 sqlguy pluto[15886]: "S_REF_IpsL2t1_0"[5] :6131 #22: responding to Quick Mode

2012:05:07-08:32:50 sqlguy pluto[15886]: "S_REF_IpsL2t1_0"[5] :6131 #22: IPsec SA established {ESP=>0x09ee6096

This thread was automatically locked due to age.

elyakoubi ahmed · Answer

I have a vpn account from a L2TP/IPSEC VPN Server and use four attributes to connect it from Android or Windows devices: IP Adress, User Name, User Password and PreShared Key. I can connect with these details successfully manually. I also want to connect it programmatically in Android 4.x. please help me

BAlfson · Answer

Hi, Ahmed, and welcome to the UTM Community! 
 Please show us the corresponding lines from the UTM's IPsec log. 
 Cheers - Bob

elyakoubi ahmed · Answer

hi Balfson , thank u very much for help, this is the laucher activity and the service when Vpn is configured. if u want the source code of my project y can see : source code : https://github.com/luojiesi/android-vpn-server Laucher activity: package org.zju.luojs; import com.android.server.vpn.R; import com.android.server.vpn.VpnServiceBinder; import android.annotation.TargetApi; import android.app.Activity; import android.content.ComponentName; import android.content.Intent; import android.content.ServiceConnection; import android.net.VpnService; import android.net.vpn.IVpnService; import android.net.vpn.L2tpIpsecPskProfile; import android.net.vpn.VpnProfile; import android.net.vpn.VpnState; import android.os.Build; import android.os.Bundle; import android.os.IBinder; import android.os.RemoteException; import android.view.View; import android.widget.Button; import android.widget.TextView; import android.widget.Toast; public class MyVpn extends Activity { Button connect,stopper; Intent mIntent; /** Called when the activity is first created. */ boolean mBounded; //VpnServiceBinder mServer; IVpnService mLocalBinder=null; L2tpIpsecPskProfile vpnProfile; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); connect = (Button) findViewById(R.id.activer); stopper = (Button) findViewById(R.id.desactiver); final TextView timestampText = (TextView) findViewById(R.id.timestamp_text); vpnProfile= new L2tpIpsecPskProfile(); vpnProfile.setServerName("213.246.57.148"); vpnProfile.setName("ahmedVPN"); //vpnProfile.setId("android.uid.system"); vpnProfile.setPresharedKey("vpn123456"); connect.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { if(mBounded){ // Toast.makeText(MyVpn.this, vpnProfile.getServerName().toString(), Toast.LENGTH_LONG).show(); /* try { timestampText.setText((mLocalBinder).getTimestamp()); } catch (RemoteException e) { e.printStackTrace(); }*/ try { mBounded=(mLocalBinder).connect(vpnProfile,"android","android"); } catch (RemoteException e) { e.printStackTrace(); } } else { bindService(mIntent, mConnection, BIND_AUTO_CREATE); try { mBounded=(mLocalBinder).connect(vpnProfile,"android","android"); } catch (RemoteException e) { e.printStackTrace(); } } } }); stopper.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { if (mBounded) { unbindService(mConnection); mBounded = false; // Toast.makeText(MyVpn.this, "mbouded true", Toast.LENGTH_LONG).show(); } stopService(mIntent); timestampText.setText(""); // Toast.makeText(MyVpn.this, "mbouded false", Toast.LENGTH_LONG).show(); } }); } @Override protected void onStart() { super.onStart(); mIntent = new Intent(this, VpnServiceBinder.class); bindService(mIntent, mConnection, BIND_AUTO_CREATE); }; ServiceConnection mConnection = new ServiceConnection() { public void onServiceDisconnected(ComponentName name) { Toast.makeText(MyVpn.this, "Service is disconnected", Toast.LENGTH_LONG).show(); mBounded = false; } public void onServiceConnected(ComponentName name, IBinder service) { mLocalBinder = IVpnService.Stub.asInterface(service); Toast.makeText(MyVpn.this, "Service is connected", Toast.LENGTH_LONG).show(); mBounded = true; } }; @Override protected void onStop() { super.onStop(); if(mBounded) { unbindService(mConnection); mBounded = false; } }; } VPNDaemon: /* * Copyright (C) 2009, The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * www.apache.org/.../LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server.vpn; import android.util.Log; import java.io.IOException; import java.io.Serializable; import java.util.ArrayList; import java.util.Arrays; import java.util.List; /** * A helper class for managing native VPN daemons. */ class VpnDaemons implements Serializable { static final long serialVersionUID = 1L; private final String TAG = VpnDaemons.class.getSimpleName(); private static final String MTPD = "mtpd"; private static final String IPSEC = "racoon"; private static final String L2TP = "l2tp"; private static final String L2TP_PORT = "8554"; private static final String PPTP = "pptp"; private static final String PPTP_PORT = "8554"; private static final String VPN_LINKNAME = "vpn"; private static final String PPP_ARGS_SEPARATOR = ""; private List mDaemonList = new ArrayList(); public DaemonProxy startL2tp(String serverIp, String secret, String username, String password) throws IOException { return startMtpd(L2TP, serverIp, L2TP_PORT, secret, username, password, false); } public DaemonProxy startPptp(String serverIp, String username, String password, boolean encryption) throws IOException { return startMtpd(PPTP, serverIp, PPTP_PORT, null, username, password, encryption); } public DaemonProxy startIpsecForL2tp(String serverIp, String pskKey) throws IOException { DaemonProxy ipsec = startDaemon(IPSEC); ipsec.sendCommand(serverIp, L2TP_PORT, pskKey); return ipsec; } public DaemonProxy startIpsecForL2tp(String serverIp, String userKeyKey, String userCertKey, String caCertKey) throws IOException { DaemonProxy ipsec = startDaemon(IPSEC); ipsec.sendCommand(serverIp, L2TP_PORT, userKeyKey, userCertKey, caCertKey); return ipsec; } public synchronized void stopAll() { new DaemonProxy(MTPD).stop(); new DaemonProxy(IPSEC).stop(); } public synchronized void closeSockets() { for (DaemonProxy s : mDaemonList) s.closeControlSocket(); } public synchronized boolean anyDaemonStopped() { for (DaemonProxy s : mDaemonList) { if (s.isStopped()) { Log.w(TAG, " VPN daemon gone: " + s.getName()); return true; } } return false; } public synchronized int getSocketError() { for (DaemonProxy s : mDaemonList) { int errCode = getResultFromSocket(s); if (errCode != 0) return errCode; } return 0; } private synchronized DaemonProxy startDaemon(String daemonName) throws IOException { DaemonProxy daemon = new DaemonProxy(daemonName); mDaemonList.add(daemon); daemon.start(); return daemon; } private int getResultFromSocket(DaemonProxy s) { try { return s.getResultFromSocket(); } catch (IOException e) { return -1; } } private DaemonProxy startMtpd(String protocol, String serverIp, String port, String secret, String username, String password, boolean encryption) throws IOException { ArrayList args = new ArrayList(); args.addAll(Arrays.asList(protocol, serverIp, port)); if (secret != null) args.add(secret); args.add(PPP_ARGS_SEPARATOR); addPppArguments(args, serverIp, username, password, encryption); DaemonProxy mtpd = startDaemon(MTPD); mtpd.sendCommand(args.toArray(new String[args.size()])); return mtpd; } private static void addPppArguments(ArrayList args, String serverIp, String username, String password, boolean encryption) throws IOException { args.addAll(Arrays.asList( "linkname", VPN_LINKNAME, "name", username, "password", password, "refuse-eap", "nodefaultroute", "usepeerdns", "idle", "1800", "mtu", "1400", "mru", "1400")); if (encryption) { args.add("+mppe"); } } } DaemonProxy /* * Copyright (C) 2009, The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * www.apache.org/.../LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server.vpn; import android.util.Log; import java.io.IOException; import java.io.Serializable; import java.util.ArrayList; import java.util.Arrays; import java.util.List; /** * A helper class for managing native VPN daemons. */ class VpnDaemons implements Serializable { static final long serialVersionUID = 1L; private final String TAG = VpnDaemons.class.getSimpleName(); private static final String MTPD = "mtpd"; private static final String IPSEC = "racoon"; private static final String L2TP = "l2tp"; private static final String L2TP_PORT = "8554"; private static final String PPTP = "pptp"; private static final String PPTP_PORT = "8554"; private static final String VPN_LINKNAME = "vpn"; private static final String PPP_ARGS_SEPARATOR = ""; private List mDaemonList = new ArrayList(); public DaemonProxy startL2tp(String serverIp, String secret, String username, String password) throws IOException { return startMtpd(L2TP, serverIp, L2TP_PORT, secret, username, password, false); } public DaemonProxy startPptp(String serverIp, String username, String password, boolean encryption) throws IOException { return startMtpd(PPTP, serverIp, PPTP_PORT, null, username, password, encryption); } public DaemonProxy startIpsecForL2tp(String serverIp, String pskKey) throws IOException { DaemonProxy ipsec = startDaemon(IPSEC); ipsec.sendCommand(serverIp, L2TP_PORT, pskKey); return ipsec; } public DaemonProxy startIpsecForL2tp(String serverIp, String userKeyKey, String userCertKey, String caCertKey) throws IOException { DaemonProxy ipsec = startDaemon(IPSEC); ipsec.sendCommand(serverIp, L2TP_PORT, userKeyKey, userCertKey, caCertKey); return ipsec; } public synchronized void stopAll() { new DaemonProxy(MTPD).stop(); new DaemonProxy(IPSEC).stop(); } public synchronized void closeSockets() { for (DaemonProxy s : mDaemonList) s.closeControlSocket(); } public synchronized boolean anyDaemonStopped() { for (DaemonProxy s : mDaemonList) { if (s.isStopped()) { Log.w(TAG, " VPN daemon gone: " + s.getName()); return true; } } return false; } public synchronized int getSocketError() { for (DaemonProxy s : mDaemonList) { int errCode = getResultFromSocket(s); if (errCode != 0) return errCode; } return 0; } private synchronized DaemonProxy startDaemon(String daemonName) throws IOException { DaemonProxy daemon = new DaemonProxy(daemonName); mDaemonList.add(daemon); daemon.start(); return daemon; } private int getResultFromSocket(DaemonProxy s) { try { return s.getResultFromSocket(); } catch (IOException e) { return -1; } } private DaemonProxy startMtpd(String protocol, String serverIp, String port, String secret, String username, String password, boolean encryption) throws IOException { ArrayList args = new ArrayList(); args.addAll(Arrays.asList(protocol, serverIp, port)); if (secret != null) args.add(secret); args.add(PPP_ARGS_SEPARATOR); addPppArguments(args, serverIp, username, password, encryption); DaemonProxy mtpd = startDaemon(MTPD); mtpd.sendCommand(args.toArray(new String[args.size()])); return mtpd; } private static void addPppArguments(ArrayList args, String serverIp, String username, String password, boolean encryption) throws IOException { args.addAll(Arrays.asList( "linkname", VPN_LINKNAME, "name", username, "password", password, "refuse-eap", "nodefaultroute", "usepeerdns", "idle", "1800", "mtu", "1400", "mru", "1400")); if (encryption) { args.add("+mppe"); } } } VPNserviceBinder /* * Copyright (C) 2009, The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * www.apache.org/.../LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server.vpn; import android.app.Service; import android.content.Intent; import android.net.vpn.IVpnService; import android.net.vpn.L2tpIpsecProfile; import android.net.vpn.L2tpIpsecPskProfile; import android.net.vpn.L2tpProfile; import android.net.vpn.PptpProfile; import android.net.vpn.VpnManager; import android.net.vpn.VpnProfile; import android.net.vpn.VpnState; import android.os.Environment; import android.os.IBinder; import android.os.RemoteException; import android.os.SystemClock; import android.os.SystemProperties; import android.util.Log; import android.widget.Chronometer; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; /** * The service class for managing a VPN connection. It implements the * {@link IVpnService} binder interface. */ public class VpnServiceBinder extends Service { private static final String TAG = VpnServiceBinder.class.getSimpleName(); private static final boolean DBG = true; private static final String STATES_FILE_RELATIVE_PATH = "/misc/vpn/.states"; private Chronometer mChronometer; // The actual implementation is delegated to the VpnService class. private VpnService mService; private static String getStateFilePath() { return Environment.getDataDirectory().getPath() + STATES_FILE_RELATIVE_PATH; } private final IBinder mBinder = new IVpnService.Stub() { public boolean connect(VpnProfile p, String username, String password) { return VpnServiceBinder.this.connect(p, username, password); } public void disconnect() { VpnServiceBinder.this.disconnect(); stopSelf(); } public String getTimestamp() throws RemoteException { long elapsedMillis = SystemClock.elapsedRealtime() - mChronometer.getBase(); int hours = (int) (elapsedMillis / 3600000); int minutes = (int) (elapsedMillis - hours * 3600000) / 60000; int seconds = (int) (elapsedMillis - hours * 3600000 - minutes * 60000) / 1000; int millis = (int) (elapsedMillis - hours * 3600000 - minutes * 60000 - seconds * 1000); return hours + ":" + minutes + ":" + seconds + ":" + millis; } public void checkStatus(VpnProfile p) { VpnServiceBinder.this.checkStatus(p); } }; @Override public void onCreate() { super.onCreate(); checkSavedStates(); mChronometer = new Chronometer(this); mChronometer.setBase(SystemClock.elapsedRealtime()); mChronometer.start(); } @Override public void onDestroy() { super.onDestroy(); Log.v("log1", "in onDestroy"); mChronometer.stop(); } @Override public void onStart(Intent intent, int startId) { super.onStart(intent, startId); } @Override public IBinder onBind(Intent intent) { return mBinder; } void saveStates() throws IOException { if (DBG) Log.d("VpnServiceBinder", " saving states"); ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(getStateFilePath())); oos.writeObject(mService); oos.close(); } void removeStates() { try { File f = new File(getStateFilePath()); if (f.exists()) f.delete(); } catch (Throwable e) { if (DBG) Log.d("VpnServiceBinder", " remove states: " + e); } } private synchronized boolean connect(final VpnProfile p, final String username, final String password) { if (mService != null) return false; final VpnService s = mService = createService(p); new Thread(new Runnable() { public void run() { s.onConnect(username, password); } }).start(); return true; } private synchronized void disconnect() { if (mService == null) return; final VpnService s = mService; new Thread(new Runnable() { public void run() { s.onDisconnect(); } }).start(); } private synchronized void checkStatus(VpnProfile p) { if ((mService == null) || (!p.getName().equals(mService.mProfile.getName()))) { broadcastConnectivity(p.getName(), VpnState.IDLE); } else { broadcastConnectivity(p.getName(), mService.getState()); } } private void checkSavedStates() { try { ObjectInputStream ois = new ObjectInputStream(new FileInputStream( getStateFilePath())); mService = (VpnService) ois.readObject(); mService.recover(this); ois.close(); } catch (FileNotFoundException e) { // do nothing } catch (Throwable e) { Log.i("VpnServiceBinder", "recovery error, remove states: " + e); removeStates(); } } private VpnService createService(VpnProfile p) { switch (p.getType()) { case L2TP: L2tpService l2tp = new L2tpService(); l2tp.setContext(this, (L2tpProfile) p); return l2tp; case PPTP: PptpService pptp = new PptpService(); pptp.setContext(this, (PptpProfile) p); return pptp; case L2TP_IPSEC_PSK: L2tpIpsecPskService psk = new L2tpIpsecPskService(); psk.setContext(this, (L2tpIpsecPskProfile) p); return psk; case L2TP_IPSEC: L2tpIpsecService l2tpIpsec = new L2tpIpsecService(); l2tpIpsec.setContext(this, (L2tpIpsecProfile) p); return l2tpIpsec; default: return null; } } private void broadcastConnectivity(String name, VpnState s) { new VpnManager(this).broadcastConnectivity(name, s); } }