I was using vpnc get-a-robot (https://code.google.com/p/get-a-robot-vpnc/downloads/list) successfully on froyo for connection to my Cisco ipsec VPN.
When I upgraded to GB, vpnc would force close (guessing because the module was missing) so I compiled the tun.ko.
Now, vpnc connects, but doesn't pass traffic. When connecting to the VPN, I see these errors on the VPN side:
Code:
Mismatch: Overriding phase 2 DH Group(DH group 5) with phase 1 group(DH group 2)
IKE could not recognize the version of the client! IPSec Fragmentation Policy will be ignored for this connection!
IKE Receiver: Runt ISAKMP packet discarded on Port 4500
I didn't change any of the vpn settings.
I'm not sure where to go from here.... I tried compiling other modules that looked like they could be related but that was of no help. Is this kernel missing some needed ipsec support? Or, could it just be that app is no longer compatible?
I will look for another app to use while this post sits out here. If anyone is interested in the tun.ko, I'll happily post it.
Ok, what a waste of my (& anyone else who went any further than reading my post's) time! IT WAS THE APP!
Using the more recent VPNC Widget, all is well!
EDIT: Here is the tun.ko zipped. Thought I was going to have to find somewhere to host it, or I would have included it in the first post.
Related
Hi, All
I have a VPN problem that is strange. Here goes:
I have my Nexus One two days ago. It's not rooted and no APK installed on it.
At that time, the VPN worked very well.
Then, I unlocked and rooted it. Then I flashed a Pandora Firmaware. The firmware is here.
://d.epis.me/Pandora%20N%201.1%20for%20nexus.zip
After that, the VPN didn't work. I must wait for a long time after I started to connect, and an error message came out like this: "Can not connect to the server". If I use a wrong password, the VPN will tell me the pssword is wrong. The same VPN server can be connected by same username and password on my laptop, but not Nexus One. It is very strange.
Then I restored the original shipping firmware. It didn't work too. The reply of the VPN is the same as above.
The server is uk.focusvpn.com, and VPN type is PTPP. Encryption type I selected encryped and not encrypted, it didn't work on both.
Now the VPN on my Nexus One is totally broken. Can any good guy help me?
Mods are likely going to move this to a different forum.
If any of the devs want to look at this I'm seeing this also. The VPN Connections app for me to a Cisco Concentrator works fine.
I can't for the life of me get PPTP to work; this may just be a buggy PPTP client in the Nexus One 2.1 build. It works FLAWLESSLY on my G1 with the last CM build. I get a generic message that GRE is not functional; but this is BS - on the same link I can tether my Mac and it works or use the same WiFi On a Windows system or mac and it works. I'm suspecting Google regressed or introduced a bug on 2.1 with PPTP
Cyanogen; or any of the other dev's if you want to "borrow" my PPTP VPN account to debug I'm game to email you the info; PM me. I was going to try this on the emulator and but some debug messages in to see what the specific issue may be...
Yeah. PM me and ill try to fix it for the CM N1 release tomorrow!
is the CyanogenMod also for nexus one?
VPN on nexus (android 2.1)
I noticed on this webpage
code.google.com/p/android/issues/detail?id=4111
that android 2.1 only support old fashion Authentication Protocols
+ CHAP allowed
+ MSCHAPv1 allowed
But
- PAP disabled
- MSCHAPv2 disabled
- EAP Proxy disabled
i searched around and found no program can hack this to enable the later 3
is it easy to enable the above? anyone here can help to configure it or it actually needs a new development?
G'day
I am wondering if the IPSEC implementation is crippled somehow in 2.1? I was trying to connect to a known (working) IPSEC peer with an Iphone 4 as my control; and trying from Galaxy-S - I put wireshark on the line and notice the Galaxy-S is failing in IKE key negotiation phase. Iphone succeeds.
Has anyone had an success with geting IPSEC VPN going, can confirm issues or knows if there will be a "fix" in 2.2 ?
cheers
-k
Have set up IPSec/L2TP no problems Android 2.1
Good morning,
I've managed to set up both PPTP to my Windows 7 home network as well as IPSec L2TP (PSK) and they both work without problems; it may be a peculiarity of the implementation that is causing hiccoughs--the web has various documentation of the quirks of Cisco and Microsoft VPN implementations and workarounds; here's one such page regarding modifications to IPSec-L2TP (openswan) for connecting Windows VPN clients to Ubuntu server running VPN:
[QR CODE REMOVED CUZ APPARENTLY IM A NOOB]
*** Ok, well, it seems since I just registered on the board, it won't let me post either an URL to the QR Code for the URL, or the URL itself, so we'll have to do this the hard way until my account is verified:
Go to http-colon-slash/robincheung.info/mbalog/ubuntu-IPSec-L2TP and it will redirect the the wholly-too-long URL to the notebook
***
If it's failing during key negotiation, perhaps you've specified MD5 on one VPN client and SHA1 on the other (or AES on one and 3DES on the other type deal?), or if you're using certificates rather than PSK, perhaps there's an issue with the certificates in the Android unit but not your iPhone?
RobIncAMDSPhD @Milestone XT720 (windmobile.ca)
Hey All,
Just wondering if you all know if Cisco or Google will figure out the whole VPN / Group Name fiasco? I am not sure who or where the limiting factor sits with (Google or Cisco) but it would be really nice if they would support Cisco VPN when using Group Name.
I am pretty sure that was never solved in the 2.x version of Android. If it has, I would love to know!
At least on android 2.X I rooted and used VPN Connections and that allowed to me to connect to my work's Cisco VPN
Inphinitizeit said:
At least on android 2.X I rooted and used VPN Connections and that allowed to me to connect to my work's Cisco VPN
Click to expand...
Click to collapse
Either VPNConnections doesn't work right with the Xoom or the tun.ko module that someone compiled for the other type of VPN isn't working right with it for IPSEC. I can't seem to connect using my rooted xoom, though I've done it with every phone I've owned with ease.
You can connect to a Cisco asa using ipsec Vpn with group name on 2.x?
Sent from my ADR6300 using XDA Premium App
foldog22 said:
You can connect to a Cisco asa using ipsec Vpn with group name on 2.x?
Sent from my ADR6300 using XDA Premium App
Click to expand...
Click to collapse
Requires root, a tun.ko module compiled for your kernel installed on your phone and VPNConnections.apk. With those three things, it is easily done. My HTC Aria, Droid 2 Global and Droid X all could connect to our work routers which use Cisco IPSEC VPN with a group name/password.
The only way to get Cisco VPN working right now with the stock VPN client in Honeycomb is to have your firewall configured to allow inbound VPN using the group policy DefaultRAGroup (which is what it will default to when no group name is present).
It took me a few hours to figure it out but have it working on my ASA5505. Can't take credit though... this thread was instrumental in helping me figure out how to get it to go.
https://supportforums.cisco.com/thread/2029577
Refer to the post by Laurentiu Zibula.
Downside is that you can only get it working if you have full control of the firewall you're connecting to, and buying your network admin at work a six pack of beer isn't going to convince him to try this.
alee said:
The only way to get Cisco VPN working right now with the stock VPN client in Honeycomb is to have your firewall configured to allow inbound VPN using the group policy DefaultRAGroup (which is what it will default to when no group name is present).
It took me a few hours to figure it out but have it working on my ASA5505. Can't take credit though... this thread was instrumental in helping me figure out how to get it to go.
https://supportforums.cisco.com/thread/2029577
Refer to the post by Laurentiu Zibula.
Downside is that you can only get it working if you have full control of the firewall you're connecting to, and buying your network admin at work a six pack of beer isn't going to convince him to try this.
Click to expand...
Click to collapse
Don't think that will work for non-ASA devices though (i.e. routers).
Hey guys, anyone know a way to get vpn working on the A500?
It supports ipsec. but we are eliminating that as of next week in favor of SSL.
I was going to use openvpn (and the new kern mod) but I don't think it supports ssl (only ipsec).
So curious is anyone has thought through this, I'd like to stop carrying my 17" hackbook-pro (HP DV9700 running snow leopard).
thanks in advance!
Hey,try vpnc widget.
At my university it works with my htc desire z.
Didn't try it on the a500,but you could do it
Bye
Sergioka
Sent from my HTC Vision using Tapatalk
Do you solved this? I had the same problem. Iconia don't remember any VPN settings.
Took me a while to figure out how to save on my Transformer. When you are on the VPN setup screen the menu/option box (not sure the correct name, it is the one with the 4 horizontal lines) will be up in the right hand corner. Selet that and a "Save" option will appear in the drop down.
I've yet to get VPN to work on my A500. Trying to connect to VPN on Windows 2003 server. It connects, but then nothing works. can't get to anything on the remote network or even my local network or the internet. As soon as i disconnect the VPN, the local network and internet starts working again.
Same boat
I'm experiencing the exact same situation where I can connect but get no traffic moving. Also, I cannot get settings, etc. to stick on shutdown/reboot. I'm going to put down exactly how I got here in the hopes that it helps someone else to figure this out...
1. Rooted stock Acer Iconia (A500) tablet
2. Installed tun.ko
Copied tun.ko to /system/lib/modules
chmod 644 /system/lib/modules/tun.ko
insmod /system/lib/modules/tun.ko
3. Installed BusyBox (from Market) 1.18.4 to /system/xbin
4. Installed VPNC Widget (from Market) and set information:
IPSecGateway - Public VPN host
IPSecId - VPN group name
IPSec Group Password - VPN group password
XAuthUsername - User ID
XauthPassword - User password
other Vpnc Options - *blank*
5. From VPNC Widget settings, selected "Check Prerequisites".
Running tests...
Error: root access missing!
Error: no access to TUN device!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone.Not sure why it's saying root access missing, but it is saying no access to TUN device. It's not saying that TUN device is missing, so I know the insmod worked.
6. Started VPNC Widget - immediately errored out. Checked last vpn session log:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
reloc_library[1315]: 1069 cannot locate '__set_sycal_errno'...
CANNOT LINK EXECUTABLE
reloc_library[1315]: 1070 cannot locat '__set_syscall_errno'...
CANNOT LINK EXECUTABLE
Error: no access to TUN device!
can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not mist/net/tun): No such file or directory
can't initialise tunnel interface: No such file or directory
vpnc version 0.5.3-mjm1-140M
7. Manually created tunnel device
mkdir /dev/net
mknod /dev/net/tun c 10 200
8. From VPNC Widget settings, selected "Check Prerequisites".
Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone.TUN access is working, but still says no root access...
9. Started VPNC Widget. Connected immediately, but VPN traffic would not flow. External web traffic still worked. Cisco ASA shows successful login.
10. Disconnected from VPN Widget. Checked last vpn session log:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
Error binding to source port. Try '--local-port 0'
Failed to bind to 0.0.0.0:4500: Address already in use
vpnc version 0.5.3-mjm1-140M
IKE SA selected psk+auth-3des-md5
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
11. Changed VPNC Widget configuration:
Added '--local-port 0' to other Vpnc Options
12. Start VPNC Widget. Either it connects and immediately reports password error (Cisco ASA shows unsuccessful login - bad password, I think) or it connects but no traffic passes, VPN or web (Cisco ASA show successful login).
13. Check last vpn session log for bad password event:
Enter IPSec secret for [email protected]
Enter password for [email protected]
pre-Init phase...
Password for VPN [email protected]s:
Password for VPN [email protected]s:
authentication unsuccessful
vpnc version 0.5.3-mjm1-140M
IKE SA selected psk+auth-3des-md5
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
I've tried reinstalling everything but I get the same results every time. I'm hoping this information helps someone (and me)...
Same problem here on the Motorola Xoom...
Typing netcfg reveals
Code:
lo UP 127.0.0.1 255.0.0.0 0x00000049
dummy0 DOWN 0.0.0.0 0.0.0.0 0x00000082
usb0 DOWN 0.0.0.0 0.0.0.0 0x00001002
sit0 DOWN 0.0.0.0 0.0.0.0 0x00000080
ip6tnl0 DOWN 0.0.0.0 0.0.0.0 0x00000080
ppp0 UP 10.10.6.7 255.255.255.255 0x000010d1
eth0 DOWN 0.0.0.0 0.0.0.0 0x00001002
tun0 DOWN 0.0.0.0 0.0.0.0 0x00001090
No connection on the TUN0 interface even though the widget claims VPN is connected.
After adding the following to the VPN options:
Code:
--local-port 0
--natt-mode cisco-udp
I can start VPN as many times I want resulting in numerous TUN interfaces in netcfg - all of which are DOWN.
I'm wondering if upgrading to HC3.1 (Xoom instructions http://forum.xda-developers.com/showthread.php?t=1074609) - which provides TUN support - solves the issue for both devices.
When you run the prerequisites check, does it also say that root access is missing?
Sadly, I am doubtful that HC3.1 will fix this as I know the TUN file is working properly because others have gotten OpenVPN working. The issue seems to lie with the VPNC Widget.
I can also connect to many different giganews VPN servers, but cannot access ANY network once connected.
WORKING with VPNC (not VPNC Widget)
I uninstalled VPNC Widget and then installed 0.99 VPNC and it is working.
Just need to create /etc/resolv.conf and append --local-port 0.
Sucks that I have to do it from the shell, but at least it works...
latest vpnc widget works with a few mods :
- edit vpnc-script and change MYBOX="$0-box" to ="'
- chmod 500 vpnc-script (something recreates vpnc-script at every start otherwise)
Stopping vpnc does not work though ;/ (just cut off wifi for a few seconds to make it close)
hey n00bzy,where can I find the vpnc-script?
thx
sergioka
sergioka said:
hey n00bzy,where can I find the vpnc-script?
thx
sergioka
Click to expand...
Click to collapse
If I recall correctly, it's in /data/data/com.gmail.mjm4456.vpncwidget/files but don't quote me on it...
hey thanks for the info,
i found the file, but
the widget tells me this
"Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone."
Wow I forgot about the thread I started! lol I will try some of these suggestions and see if any work..
I know that ipsec is going to be cut off here soon, so I'm going to need a SSL solution sooner or later.
sergioka said:
hey thanks for the info,
i found the file, but
the widget tells me this
"Running tests...
Error: root access missing!
Warning: 'Advanced Routing' feature missing - VPN connectivity might be lost after a while
Sorry, the VPNC Widget will not work on this phone."
Click to expand...
Click to collapse
I was getting that message but it still connected. Try to connect, check your last connection log, and see what it says.
Oh man, I had only the link on the desktop and not the widget
Now, with the wigdet, it works!
Couple of questions as I am going through a a vpnc widget setup on a rooted Asus Transformer.
I am running prime 1.4 which already has the tun loaded but when I go to /dev/net/tun there is no file in that directory. Should there be a file in that directory?
The error I am getting right now from the widgets log is "can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not /misc/net/tun): Is a directory can't initialize tunnel interface"
Any help will be much appreciated
I will pay good $$ to have a working (simple) Cisco VPN option on my Android. I have tried and wasted way to many hours trying to get this working with all the complicated and unclearly documented ways to get this working.
Anyone working on something besides Cisco (which they will be forcing our organization to pay for such service which is not possible seeing we are one of the largest orgs around and something like that is not feasible)?
tl;dr Google Talk/AndFTP/SIP can't connect over an OpenVPN connection in CM7.2
My OpenVPN configuration has worked for several months. But since 7.2 came out, I've been troubleshooting a problem with my phone's VPN connection to my home server. The symptom I'm seeing is that apps besides the web browser cannot connect to anything over the VPN, including the VPN host itself. When I use tcpdump to watch traffic going over my server's tun0 adapter, I don't see packets sent from AndFTP and SIP (the phone dialer's SIP) ever reach the server. Strangely, the web browser works just fine over the VPN. I'm able to view websites normal, and even connect to my webserver on port 8080.
Like you (probably), my first assumption is that a problem like this is due to misconfiguration somewhere. However I'm starting to think that's not the case this time. My VPN configuration is very simple, and I don't use any iptables netfilter rules anywhere (the server is behind a nat router). These apps work just fine over my VPN when I'm using the old CM7-12112011-nightly-olympus build. My Ubuntu laptop also has no issues using the VPN. I have observed the route table (# busybox route -n) after the VPN connection is made using the latest nightly, and the old build which works. Both routes are the same (for whatever reason, the default gateway isn't removed, but it works on the old build anyway).
So I have only seen this issue when I'm running CM7.2 RC1 or the latest nightly: update-cm-7-20120409-NIGHTLY-olympus-signed.zip
For now I'm back on the CM7-12112011-nightly build, and my apps work on my VPN again. But I wanted to post this here incase this issue affected anyone else. I'm not sure how to continue troubleshooting it, or whether it might even be related to a bug.
I can use Pandora just fine over VPN, as well as download stuff from the Market/Play and use GTalk.
Here's my server config if you want to compare it
Code:
$ cat /etc/openvpn/server.conf
port 12345
proto udp
dev tun
ca /etc/openvpn/blahblah.crt
cert /etc/openvpn/blahblah.crt
key /etc/openvpn/blahblah.key
dh /etc/openvpn/blahblah.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
Ok if these builds are working for you, that does indicate it's just some misconfiguration on my end.
update: I did fresh installs of the last atrix-dev-team build and the latest cm7.2 nightly. On both builds apps are working over the VPN just fine. The only thing that doesn't work is the dialer's built in SIP, it won't connect over the VPN. It works when I'm on the same lan as the server, but not otherwise over the vpn. Watching tcdump, I never see packets coming from the phone when I enable "Receive incoming calls."
So I just gave up trying to get the SIP dialer to work on my VPN, and installed CSipSimple and SIPDroid. Both work just fine over VPN. While both these apps are popular, I was only avoiding using them since I didn't think they would be necessary. I've used the dialer's SIP to proxy calls over asterisk in the past with my original A855 Droid. Not sure why it doesn't work anymore, but not a big deal either.
I am also having some difficulty with openvpn. I am running CM7.2 RC3 on my Atrix. I have never had it working before on the Atrix (recent convert to CM7), but have had it working on laptops and an iphone. Was intrigued that it appears to be built in. I just cannot get it to work.
My issues are:
1) I cannot use the tun device. If I try, it appears to connect, then errors out.
Code:
N read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
If I select tap, it will connect, but then it tells me that there are fragment errors
Code:
FRAG_IN error flags=0xfa3333ff: FRAG_TEST not implemented
2) I cannot add the 'extra arguments' under the advanced settings. I try tp put "fragment 1400" and . I'd like to add mssfix as well, but cannot figure out how to use this input block. If I try "fragment 1400" same thing:
Code:
MANAGEMENT: Client disconnected
When I use tap and keep the extra arguments clear, it appears to connect, but I get nothing: andsmb cannot see smb shares, I cannot get to the router web page, etc.
I have also configured pptp and that will allow me to connect (access shares and see the router web interface (ddwrt). I would prefer openvpn, though. Any help appreciated.
My connect script with a laptop is:
Code:
remote xxxx.dyndns-office.com 1194
client
dev tap0
proto udp
mssfix 1400
fragment 1400
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
Keith