Using VPN on android_x86_64-userdebug 7.1.2

[Florian E]

Hei Guys,

im trying to setup a simple PPTP VPN but it keeps failing.

First of all - it is only working with wlan0 not with eth0 (says "no network connection").

However using wlan0 gives me the following error:

11-13 12:49:36.275 14822 14822 D mtpd    : Received 20 arguments

11-13 12:49:36.275 14822 14822 I mtpd    : Using protocol pptp

11-13 12:49:36.275 14822 14822 I mtpd    : Connecting to my.vpn.de port 1723 via wlan0

11-13 12:49:36.336 14822 14822 I mtpd    : Connection established (socket = 7)

11-13 12:49:36.336 14822 14822 D mtpd    : Sending SCCRQ

11-13 12:49:36.416 14822 14822 D mtpd    : Received SCCRP -> Sending OCRQ (local = 55735)

11-13 12:49:36.416 14822 14822 I mtpd    : Tunnel established

11-13 12:49:36.448 14822 14822 D mtpd    : Received OCRQ (remote = 37577)

11-13 12:49:36.448 14822 14822 I mtpd    : Session established

11-13 12:49:36.448 14822 14822 I mtpd    : Creating PPPoX socket

11-13 12:49:36.448 14822 14822 F mtpd    : Socket() Protocol wrong type for socket

11-13 12:49:36.486  1555 14820 I LegacyVpnRunner: Aborting

11-13 12:49:36.486  1555 14820 I LegacyVpnRunner: java.lang.IllegalStateException: mtpd is dead

11-13 12:49:36.486  1555 14820 I LegacyVpnRunner:       at com.android.server.connectivity.Vpn$LegacyVpnRunner.execute(Vpn.java:1698)

11-13 12:49:36.486  1555 14820 I LegacyVpnRunner:       at com.android.server.connectivity.Vpn$LegacyVpnRunner.run(Vpn.java:1560)

11-13 12:49:36.486  1555 14820 D Vpn     : setting state=FAILED, reason=mtpd isdead

it seems to connect but somehow the socket type (no idea what that is) is wrong.

Do you have any ideas for me?

Greets

[Florian E]

I also tried to use L2TP/IPSec PSK with a public VPN (justfreevpn - which is working on my phone)
But very sadly this is also not working:

130|x86_64:/ # logcat | grep mtpd
11-13 16:29:39.955 26901 26901 D mtpd : Waiting for control socket
11-13 16:29:40.179 26901 26901 D mtpd : Received 20 arguments
11-13 16:29:40.179 26901 26901 I mtpd : Using protocol l2tp
11-13 16:29:40.179 26901 26901 I mtpd : Connecting to de.justfreevpn.com por
1701 via wlan0
11-13 16:29:40.182 26901 26901 I mtpd : Connection established (socket = 7)
11-13 16:29:40.182 26901 26901 D mtpd : Sending SCCRQ (local_tunnel = 55978)
11-13 16:29:42.184 26901 26901 D mtpd : Timeout -> Sending SCCRQ
...
11-13 16:30:37.344 26901 26901 D mtpd : Timeout -> Sending SCCRQ
11-13 16:30:37.344 26901 26901 I mtpd : Received signal 15
11-13 16:30:37.344 26901 26901 D mtpd : Sending STOPCCN
11-13 16:30:37.345 26901 26901 I mtpd : Mtpd is terminated (status = 5)

[Florian E]

Any ideas where to start?

Would be thankful for any advice

Thanks

[Florian E]

Hei guys,

im still trying to get VPN runnin on my android x86 64 7.1.2.

What i've done by now is to set up a ipsec xauth psk server on a ubuntu installation using this settings:

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

        keyexchange=ike

 

conn IPsec-Xauth-PSK

        keyexchange=ikev1

        authby=xauthpsk

        xauth=server

        left=10.240.40.204

        leftsubnet=0.0.0.0/0

        leftfirewall=yes

        right=%any

        rightsubnet=10.0.0.0/24

        rightsourceip=10.128.128.2/24

        auto=add

ike=aes128-sha1-modp2048,3des-sha1-modp1536

include /var/lib/strongswan/ipsec.conf.inc

Now on my Android i'm running this command:

racoon eth0 10.240.40.204 xauthpsk '' 1122 MyUser 1122 15 ''

logcat result is:

01-18 14:53:03.229  6711  6711 I racoon  : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)

01-18 14:53:03.438  6711  6711 I racoon  : 192.168.5.201[500] used as isakmp port (fd=5)

01-18 14:53:03.438  6711  6711 I racoon  : 192.168.5.201[500] used for NAT-T

01-18 14:53:03.438  6711  6711 I racoon  : 192.168.5.201[4500] used as isakmp port (fd=6)

01-18 14:53:03.438  6711  6711 I racoon  : 192.168.5.201[4500] used for NAT-T

01-18 14:53:03.438  6711  6711 I racoon  : initiate new phase 1 negotiation: 192.168.5.201[500]<=>10.240.40.204[500]

01-18 14:53:03.438  6711  6711 I racoon  : begin Identity Protection mode.

01-18 14:53:03.444  6711  6711 I racoon  : received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

01-18 14:53:03.444  6711  6711 I racoon  : received Vendor ID: DPD

01-18 14:53:03.444  6711  6711 I racoon  : received Vendor ID: RFC 3947

01-18 14:53:03.444  6711  6711 I racoon  : Selected NAT-T version: RFC 3947

01-18 14:53:03.446  6711  6711 I racoon  : Hashing 10.240.40.204[500] with algo#5

01-18 14:53:03.446  6711  6711 I racoon  : Hashing 192.168.5.201[500] with algo#5

01-18 14:53:03.446  6711  6711 I racoon  : Adding remote and local NAT-D payloads.

01-18 14:53:03.451  6711  6711 I racoon  : Hashing 192.168.5.201[500] with algo#5

01-18 14:53:03.451  6711  6711 I racoon  : NAT-D payload #0 doesn't match

01-18 14:53:03.451  6711  6711 I racoon  : Hashing 10.240.40.204[500] with algo#5

01-18 14:53:03.451  6711  6711 I racoon  : NAT-D payload #1 verified

01-18 14:53:03.451  6711  6711 I racoon  : NAT detected: ME

01-18 14:53:03.451  6711  6711 I racoon  : KA list add: 192.168.5.201[4500]->10.240.40.204[4500]

01-18 14:53:03.456  6711  6711 I racoon  : ISAKMP-SA established 192.168.5.201[4

500]-10.240.40.204[4500] spi:56f59a02cbbfc912:50c90ef0d303dd17

01-18 14:53:03.465  6711  6711 E racoon  : Cannot dump SAD and SPD

01-18 14:53:03.465  6711  6711 I racoon  : Bye

so the only thing i have is "Cannot dump SAD and SPD"

looking in libipsec/pfkey.c this says:

"sending SADB_REGISTER message to the kernel."

Is my kernel missing modules? how can i find out?

kernel is 4.14:

1|x86_64:/ # uname -a

Linux localhost 4.14.24-android-x86_64-g048b65e-dirty #1 SMP PREEMPT Wed Jun 13 21:27:14 CEST 2018 x86_64

do you guys have any idea whats wrong here?

[Chih-Wei Huang]

'Florian E' via Android-x86 <andro...@googlegroups.com> 於
2019年1月18日 週五 下午10:01寫道：

I suggest you add debug messages to pfkey.c
to see why it failed. (what is errno?)

> Is my kernel missing modules? how can i find out?
> kernel is 4.14:

Have you enabled CONFIG_NET_KEY?


--
Chih-Wei
Android-x86 project
http://www.android-x86.org

[Florian E]

Hei,

thanks for your answer. settings says: CONFIG_NET_KEY=y

but anyways - i got it running by now.

Just for all who are interessted in this:

Once i setup my strongswan server as mentioned above i once got it running using the android settings UI. 

(but did only work with a screen lock like pin or pattern - and dhcp active on eth0)

But it did not work with the binary via shell - i still do not know why SAD dump error.

However i found out that the android VPN service is using a socket to communicate with the ipsec tools (dev/socket/racoon)

so i build myself a log to see what the UI is sending via the socket. (for this, see main.c android_get_control_and_arguments)

Sadly the build-in netcat binary does not support sending data to a UNIX socket - so you have to build the /external/netcat/ project to get the nc binary urself.

Copy the nc to /system/xbin/nc and use it with the -U flag to connect to racoon socket.

so finally start the racoon socket with 

setprop ctl.start racoon

now u can send commands like this:

echo -e "\\x00\\x04\\x65\\x74\\x68\\x30" | /system/xbin/nc -U /dev/socket/racoon

which means "04eth0" (first two bytes are the length of the following argument)

translate all arguments either with ascii table or use a bash script which is easier, 

Another thing was that the socket was closed by the racoon binary (shutdown) which killed my connection each time.

so i removed the shutdown call in here:

#ifdef ANDROID_CHANGES

    do_plog(LLV_INFO, "Setting AID VPN .. \n");

    shutdown(control, SHUT_WR);

    setuid(AID_VPN);

#endif

Furthermore there is an issue with the netcat nc binary aswell, because it uses 50% CPU while it is open.

So i changed the while loop in readwrite to have a sleep at the end, now it is not noticeable anymore.

PLEASE NOTE: I do not completely unterstand what's going on and "fixed" this using try and error.

Also this does not really have to do something with Android x86 and the changes could be an security issue aswell.

Greets.