Android VPN L2TP/IPSEC PSK Doesn't Connect

Question

I'm having trouble connecting my Android 2.3.5 phone to my Astaro box. I'm able connect Windows machines to Astaro using a preshared key just fine, but Android doesn't work. I'm running Astaro 8.302.

My network is as follows:
Modem (in bridged mode) --> Astaro Box

L2TP/IPSEC settings:
Interface: External
Authentication: Preshared key
Assign IP Address: IP Address Pool
Pool Network: VPN Pool (L2TP)

Firewall:
Source: VPN Pool (L2TP)
Service: Any
Destination: Internal Network

NAT Masquerading Rule:
VPN Pool (L2TP) --> External (Bottom position)

I know how to retrieve the logs, but I don't know enough to be able to diagnose the problem just by reading the logs. Does anyone have any suggestions on what I need to do?

Here's a copy of the IPSEC log from Astaro (Android IP is removed):


2012:05:07-08:32:24 sqlguy pppd-l2tp[23587]: rcvd [LCP TermReq id=0x8 "R_oD\000:6137: received Vendor ID payload [RFC 3947]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2012:05:07-08:32:48 sqlguy pluto[15886]: packet from :6137: ignoring Vendor ID payload [FRAGMENTATION 80000000]

2012:05:07-08:32:48 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: responding to Main Mode from unknown peer :6137

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: NAT-Traversal: Result using RFC 3947: peer is NATed

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[9] :6137 #21: Peer ID is ID_IPV4_ADDR: '10.247.1.177'

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6137 #21: deleting connection "S_REF_IpsL2t1_1"[9] instance with peer  {isakmp=#0/ipsec=#0}

2012:05:07-08:32:49 sqlguy pluto[15886]: | NAT-T: new mapping :6137/6131)

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6131 #21: sent MR3, ISAKMP SA established

2012:05:07-08:32:49 sqlguy pluto[15886]: "S_REF_IpsL2t1_1"[10] :6131 #21: ignoring informational payload, type IPSEC_INITIAL_CONTACT

2012:05:07-08:32:50 sqlguy pluto[15886]: "S_REF_IpsL2t1_0"[5] :6131 #22: responding to Quick Mode

2012:05:07-08:32:50 sqlguy pluto[15886]: "S_REF_IpsL2t1_0"[5] :6131 #22: IPsec SA established {ESP=>0x09ee6096

This thread was automatically locked due to age.

elyakoubi ahmed · Answer

I have a vpn account from a L2TP/IPSEC VPN Server and use four attributes to connect it from Android or Windows devices: IP Adress, User Name, User Password and PreShared Key. I can connect with these details successfully manually. I also want to connect it programmatically in Android 4.x.

please help me

BAlfson · Answer

Hi, Ahmed, and welcome to the UTM Community! 
 Please show us the corresponding lines from the UTM's IPsec log. 
 Cheers - Bob

elyakoubi ahmed · Answer

hi Balfson ,

thank u very much for help,

this is the laucher activity and the service when Vpn is configured.

if u want the source code of my project y can see :

source code :

https://github.com/luojiesi/android-vpn-server

Laucher activity:

package org.zju.luojs;

import com.android.server.vpn.R;
import com.android.server.vpn.VpnServiceBinder;

import android.annotation.TargetApi;
import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.content.ServiceConnection;
import android.net.VpnService;
import android.net.vpn.IVpnService;
import android.net.vpn.L2tpIpsecPskProfile;
import android.net.vpn.VpnProfile;
import android.net.vpn.VpnState;
import android.os.Build;
import android.os.Bundle;
import android.os.IBinder;
import android.os.RemoteException;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import android.widget.Toast;

public class MyVpn extends Activity {
Button connect,stopper;
Intent mIntent;
/** Called when the activity is first created. */
boolean mBounded;
//VpnServiceBinder mServer;
IVpnService mLocalBinder=null;
L2tpIpsecPskProfile vpnProfile;

@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
connect = (Button) findViewById(R.id.activer);
stopper = (Button) findViewById(R.id.desactiver);
final TextView timestampText = (TextView) findViewById(R.id.timestamp_text);

vpnProfile= new L2tpIpsecPskProfile();
vpnProfile.setServerName("213.246.57.148");
vpnProfile.setName("ahmedVPN");
//vpnProfile.setId("android.uid.system");
vpnProfile.setPresharedKey("vpn123456");

connect.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
if(mBounded){

// Toast.makeText(MyVpn.this, vpnProfile.getServerName().toString(), Toast.LENGTH_LONG).show();
/* try {
timestampText.setText((mLocalBinder).getTimestamp());
} catch (RemoteException e) {
e.printStackTrace();
}*/

try {
mBounded=(mLocalBinder).connect(vpnProfile,"android","android");
} catch (RemoteException e) {
e.printStackTrace();
}

}

else {
bindService(mIntent, mConnection, BIND_AUTO_CREATE);

try {
mBounded=(mLocalBinder).connect(vpnProfile,"android","android");
} catch (RemoteException e) {
e.printStackTrace();
}
}

}
});

stopper.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
if (mBounded) {
unbindService(mConnection);
mBounded = false;
// Toast.makeText(MyVpn.this, "mbouded true", Toast.LENGTH_LONG).show();

}
stopService(mIntent);
timestampText.setText("");

// Toast.makeText(MyVpn.this, "mbouded false", Toast.LENGTH_LONG).show();

}
});

}
@Override
protected void onStart() {
super.onStart();
mIntent = new Intent(this, VpnServiceBinder.class);
bindService(mIntent, mConnection, BIND_AUTO_CREATE);
};

ServiceConnection mConnection = new ServiceConnection() {

public void onServiceDisconnected(ComponentName name) {
Toast.makeText(MyVpn.this, "Service is disconnected", Toast.LENGTH_LONG).show();
mBounded = false;
}

public void onServiceConnected(ComponentName name, IBinder service) {
mLocalBinder = IVpnService.Stub.asInterface(service);

Toast.makeText(MyVpn.this, "Service is connected", Toast.LENGTH_LONG).show();
mBounded = true;

}
};

@Override
protected void onStop() {
super.onStop();
if(mBounded) {
unbindService(mConnection);
mBounded = false;
}
};
}

VPNDaemon:

/*
 * Copyright (C) 2009, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     www.apache.org/.../LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.server.vpn;

import android.util.Log;

import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/**
 * A helper class for managing native VPN daemons.
 */
class VpnDaemons implements Serializable {

    static final long serialVersionUID = 1L;
    private final String TAG = VpnDaemons.class.getSimpleName();

    private static final String MTPD = "mtpd";
    private static final String IPSEC = "racoon";

    private static final String L2TP = "l2tp";
    private static final String L2TP_PORT = "8554";

    private static final String PPTP = "pptp";
    private static final String PPTP_PORT = "8554";

    private static final String VPN_LINKNAME = "vpn";
    private static final String PPP_ARGS_SEPARATOR = "";

    private List<DaemonProxy> mDaemonList = new ArrayList<DaemonProxy>();

    public DaemonProxy startL2tp(String serverIp, String secret,
            String username, String password) throws IOException {
        return startMtpd(L2TP, serverIp, L2TP_PORT, secret, username, password,
                false);
    }

    public DaemonProxy startPptp(String serverIp, String username,
            String password, boolean encryption) throws IOException {
        return startMtpd(PPTP, serverIp, PPTP_PORT, null, username, password,
                encryption);
    }

    public DaemonProxy startIpsecForL2tp(String serverIp, String pskKey)
            throws IOException {
        DaemonProxy ipsec = startDaemon(IPSEC);
        ipsec.sendCommand(serverIp, L2TP_PORT, pskKey);
        return ipsec;
    }

    public DaemonProxy startIpsecForL2tp(String serverIp, String userKeyKey,
            String userCertKey, String caCertKey) throws IOException {
        DaemonProxy ipsec = startDaemon(IPSEC);
        ipsec.sendCommand(serverIp, L2TP_PORT, userKeyKey, userCertKey,
                caCertKey);
        return ipsec;
    }

    public synchronized void stopAll() {
        new DaemonProxy(MTPD).stop();
        new DaemonProxy(IPSEC).stop();
    }

    public synchronized void closeSockets() {
        for (DaemonProxy s : mDaemonList) s.closeControlSocket();
    }

    public synchronized boolean anyDaemonStopped() {
        for (DaemonProxy s : mDaemonList) {
            if (s.isStopped()) {
                Log.w(TAG, "    VPN daemon gone: " + s.getName());
                return true;
            }
        }
        return false;
    }

    public synchronized int getSocketError() {
        for (DaemonProxy s : mDaemonList) {
            int errCode = getResultFromSocket(s);
            if (errCode != 0) return errCode;
        }
        return 0;
    }

    private synchronized DaemonProxy startDaemon(String daemonName)
            throws IOException {
        DaemonProxy daemon = new DaemonProxy(daemonName);
        mDaemonList.add(daemon);
        daemon.start();
        return daemon;
    }

    private int getResultFromSocket(DaemonProxy s) {
        try {
            return s.getResultFromSocket();
        } catch (IOException e) {
            return -1;
        }
    }

    private DaemonProxy startMtpd(String protocol,
            String serverIp, String port, String secret, String username,
            String password, boolean encryption) throws IOException {
        ArrayList<String> args = new ArrayList<String>();
        args.addAll(Arrays.asList(protocol, serverIp, port));
        if (secret != null) args.add(secret);
        args.add(PPP_ARGS_SEPARATOR);
        addPppArguments(args, serverIp, username, password, encryption);

        DaemonProxy mtpd = startDaemon(MTPD);
        mtpd.sendCommand(args.toArray(new String[args.size()]));
        return mtpd;
    }

    private static void addPppArguments(ArrayList<String> args, String serverIp,
            String username, String password, boolean encryption)
            throws IOException {
        args.addAll(Arrays.asList(
                "linkname", VPN_LINKNAME,
                "name", username,
                "password", password,
                "refuse-eap", "nodefaultroute", "usepeerdns",
                "idle", "1800",
                "mtu", "1400",
                "mru", "1400"));
        if (encryption) {
            args.add("+mppe");
        }
    }
}



DaemonProxy

/*
 * Copyright (C) 2009, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     www.apache.org/.../LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.server.vpn;

import android.util.Log;

import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/**
 * A helper class for managing native VPN daemons.
 */
class VpnDaemons implements Serializable {

    static final long serialVersionUID = 1L;
    private final String TAG = VpnDaemons.class.getSimpleName();

    private static final String MTPD = "mtpd";
    private static final String IPSEC = "racoon";

    private static final String L2TP = "l2tp";
    private static final String L2TP_PORT = "8554";

    private static final String PPTP = "pptp";
    private static final String PPTP_PORT = "8554";

    private static final String VPN_LINKNAME = "vpn";
    private static final String PPP_ARGS_SEPARATOR = "";

    private List<DaemonProxy> mDaemonList = new ArrayList<DaemonProxy>();

    public DaemonProxy startL2tp(String serverIp, String secret,
            String username, String password) throws IOException {
        return startMtpd(L2TP, serverIp, L2TP_PORT, secret, username, password,
                false);
    }

    public DaemonProxy startPptp(String serverIp, String username,
            String password, boolean encryption) throws IOException {
        return startMtpd(PPTP, serverIp, PPTP_PORT, null, username, password,
                encryption);
    }

    public DaemonProxy startIpsecForL2tp(String serverIp, String pskKey)
            throws IOException {
        DaemonProxy ipsec = startDaemon(IPSEC);
        ipsec.sendCommand(serverIp, L2TP_PORT, pskKey);
        return ipsec;
    }

    public DaemonProxy startIpsecForL2tp(String serverIp, String userKeyKey,
            String userCertKey, String caCertKey) throws IOException {
        DaemonProxy ipsec = startDaemon(IPSEC);
        ipsec.sendCommand(serverIp, L2TP_PORT, userKeyKey, userCertKey,
                caCertKey);
        return ipsec;
    }

    public synchronized void stopAll() {
        new DaemonProxy(MTPD).stop();
        new DaemonProxy(IPSEC).stop();
    }

    public synchronized void closeSockets() {
        for (DaemonProxy s : mDaemonList) s.closeControlSocket();
    }

    public synchronized boolean anyDaemonStopped() {
        for (DaemonProxy s : mDaemonList) {
            if (s.isStopped()) {
                Log.w(TAG, "    VPN daemon gone: " + s.getName());
                return true;
            }
        }
        return false;
    }

    public synchronized int getSocketError() {
        for (DaemonProxy s : mDaemonList) {
            int errCode = getResultFromSocket(s);
            if (errCode != 0) return errCode;
        }
        return 0;
    }

    private synchronized DaemonProxy startDaemon(String daemonName)
            throws IOException {
        DaemonProxy daemon = new DaemonProxy(daemonName);
        mDaemonList.add(daemon);
        daemon.start();
        return daemon;
    }

    private int getResultFromSocket(DaemonProxy s) {
        try {
            return s.getResultFromSocket();
        } catch (IOException e) {
            return -1;
        }
    }

    private DaemonProxy startMtpd(String protocol,
            String serverIp, String port, String secret, String username,
            String password, boolean encryption) throws IOException {
        ArrayList<String> args = new ArrayList<String>();
        args.addAll(Arrays.asList(protocol, serverIp, port));
        if (secret != null) args.add(secret);
        args.add(PPP_ARGS_SEPARATOR);
        addPppArguments(args, serverIp, username, password, encryption);

        DaemonProxy mtpd = startDaemon(MTPD);
        mtpd.sendCommand(args.toArray(new String[args.size()]));
        return mtpd;
    }

    private static void addPppArguments(ArrayList<String> args, String serverIp,
            String username, String password, boolean encryption)
            throws IOException {
        args.addAll(Arrays.asList(
                "linkname", VPN_LINKNAME,
                "name", username,
                "password", password,
                "refuse-eap", "nodefaultroute", "usepeerdns",
                "idle", "1800",
                "mtu", "1400",
                "mru", "1400"));
        if (encryption) {
            args.add("+mppe");
        }
    }
}




VPNserviceBinder

/*
 * Copyright (C) 2009, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     www.apache.org/.../LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.server.vpn;

import android.app.Service;
import android.content.Intent;
import android.net.vpn.IVpnService;
import android.net.vpn.L2tpIpsecProfile;
import android.net.vpn.L2tpIpsecPskProfile;
import android.net.vpn.L2tpProfile;
import android.net.vpn.PptpProfile;
import android.net.vpn.VpnManager;
import android.net.vpn.VpnProfile;
import android.net.vpn.VpnState;
import android.os.Environment;
import android.os.IBinder;
import android.os.RemoteException;
import android.os.SystemClock;
import android.os.SystemProperties;
import android.util.Log;
import android.widget.Chronometer;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;

/**
 * The service class for managing a VPN connection. It implements the
 * {@link IVpnService} binder interface.
 */
public class VpnServiceBinder extends Service {
    private static final String TAG = VpnServiceBinder.class.getSimpleName();
    private static final boolean DBG = true;

    private static final String STATES_FILE_RELATIVE_PATH = "/misc/vpn/.states";
    private Chronometer mChronometer;
    // The actual implementation is delegated to the VpnService class.
    private VpnService<? extends VpnProfile> mService;

    private static String getStateFilePath() {
   return Environment.getDataDirectory().getPath() + STATES_FILE_RELATIVE_PATH;
    }

    private final IBinder mBinder = new IVpnService.Stub() {



        public boolean connect(VpnProfile p, String username, String password) {
            return VpnServiceBinder.this.connect(p, username, password);
        }

        public void disconnect() {
            VpnServiceBinder.this.disconnect();
            stopSelf();
        }

        public String getTimestamp() throws RemoteException {
            long elapsedMillis = SystemClock.elapsedRealtime() - mChronometer.getBase();
            int hours = (int) (elapsedMillis / 3600000);
            int minutes = (int) (elapsedMillis - hours * 3600000) / 60000;
            int seconds = (int) (elapsedMillis - hours * 3600000 - minutes * 60000) / 1000;
            int millis = (int) (elapsedMillis - hours * 3600000 - minutes
                    * 60000 - seconds * 1000);
            return hours + ":" + minutes + ":" + seconds + ":" + millis;
        }

        public void checkStatus(VpnProfile p) {
            VpnServiceBinder.this.checkStatus(p);
        }
    };

    @Override
    public void onCreate() {
        super.onCreate();
        checkSavedStates();
        mChronometer = new Chronometer(this);
        mChronometer.setBase(SystemClock.elapsedRealtime());
        mChronometer.start();
    }

    @Override
    public void onDestroy() {
        super.onDestroy();
        Log.v("log1", "in onDestroy");
        mChronometer.stop();
    }


    @Override
    public void onStart(Intent intent, int startId) {
        super.onStart(intent, startId);
    }

    @Override
    public IBinder onBind(Intent intent) {
        return mBinder;
    }

    void saveStates() throws IOException {
        if (DBG) Log.d("VpnServiceBinder", "     saving states");
        ObjectOutputStream oos =
                new ObjectOutputStream(new FileOutputStream(getStateFilePath()));
        oos.writeObject(mService);
        oos.close();
    }



    void removeStates() {
        try {
            File f = new File(getStateFilePath());
            if (f.exists()) f.delete();
        } catch (Throwable e) {
            if (DBG) Log.d("VpnServiceBinder", "     remove states: " + e);
        }
    }

    private synchronized boolean connect(final VpnProfile p,
            final String username, final String password) {
        if (mService != null) return false;
        final VpnService s = mService = createService(p);

        new Thread(new Runnable() {
            public void run() {
                s.onConnect(username, password);
            }
        }).start();
        return true;
    }

    private synchronized void disconnect() {
        if (mService == null) return;
        final VpnService s = mService;

        new Thread(new Runnable() {
            public void run() {
                s.onDisconnect();
            }
        }).start();
    }

    private synchronized void checkStatus(VpnProfile p) {
        if ((mService == null)
                || (!p.getName().equals(mService.mProfile.getName()))) {
            broadcastConnectivity(p.getName(), VpnState.IDLE);
        } else {
            broadcastConnectivity(p.getName(), mService.getState());
        }
    }

    private void checkSavedStates() {
        try {
            ObjectInputStream ois = new ObjectInputStream(new FileInputStream(
                    getStateFilePath()));
            mService = (VpnService<? extends VpnProfile>) ois.readObject();
            mService.recover(this);
            ois.close();
        } catch (FileNotFoundException e) {
            // do nothing
        } catch (Throwable e) {
            Log.i("VpnServiceBinder", "recovery error, remove states: " + e);
            removeStates();
        }
    }

    private VpnService<? extends VpnProfile> createService(VpnProfile p) {
        switch (p.getType()) {
            case L2TP:
                L2tpService l2tp = new L2tpService();
                l2tp.setContext(this, (L2tpProfile) p);
                return l2tp;

            case PPTP:
                PptpService pptp = new PptpService();
                pptp.setContext(this, (PptpProfile) p);
                return pptp;

            case L2TP_IPSEC_PSK:
                L2tpIpsecPskService psk = new L2tpIpsecPskService();
                psk.setContext(this, (L2tpIpsecPskProfile) p);
                return psk;

            case L2TP_IPSEC:
                L2tpIpsecService l2tpIpsec = new L2tpIpsecService();
                l2tpIpsec.setContext(this, (L2tpIpsecProfile) p);
                return l2tpIpsec;

            default:
                return null;
        }
    }

    private void broadcastConnectivity(String name, VpnState s) {
        new VpnManager(this).broadcastConnectivity(name, s);
    }
}