The only thing I can add right now that it is not SE Linux limitation.
Turning it off helps with some iptables oriented errors for me but still
no help with creating of tunnel interface.
A lot of mysteries there. I've started client from Eclipse and got error
like you, and client report error.
After that I've restarted emulator, manually started client from android
itself and got different kind of errors.
I/charon ( 2061): 07[IKE] CHILD_SA android{1} established with SPIs
feb7a1c0_i f5ab1d86_o and TS 192.168.254.195/32 === 0.0.0.0/0
I/charon ( 2061): 07[DMN] setting up TUN device for CHILD_SA android{1}
D/Vpn ( 1140): setting state=CONNECTING, reason=establish
D/VpnJni ( 1140): Address added on tun0: 192.168.254.195/32
D/ConnectivityService( 1140): registerNetworkAgent NetworkAgentInfo{
ni{[type: VPN[], state: CONNECTED/CONNECTED, reason: (unspecified),
extra: (none), roaming: false, failover: false, isAvailable: true,
isConnectedToProvisioningNetwork: false]} network{null}
lp{{InterfaceName: tun0 LinkAddresses: [192.168.254.195/32,] Routes:
[0.0.0.0/1 -> 0.0.0.0 tun0,128.0.0.0/1 -> 0.0.0.0 tun0,::/0
unreachable,] DnsAddresses: [] Domains: MTU: 0}} nc{[ Transports: VPN
Capabilities: NOT_RESTRICTED&TRUSTED]} Score{0} validated{false}
created{false} explicitlySelected{false} }
I/Vpn ( 1140): Established by org.strongswan.android on tun0
D/ConnectivityService( 1140): NetworkAgentInfo [VPN () - 102]
EVENT_NETWORK_INFO_CHANGED, going from null to CONNECTED
I/charon ( 2061): 07[DMN] successfully created TUN device
I/charon ( 2061): 07[ENC] generating QUICK_MODE request 1314563190 [ HASH ]
I/charon ( 2061): 07[NET] sending packet: from 10.0.2.15[51378] to
192.168.100.1[4500] (60 bytes)
D/ConnectivityService( 1140): Adding iface tun0 to network 102
I/iptables( 2100): type=1400 audit(0.0:30): avc: denied { module_request
} for kmod="ipt_MARK" scontext=u:r:netd:s0 tcontext=u:r:kernel:s0
tclass=system permissive=1
I/iptables( 944): iptables: No chain/target/match by that name.
I/iptables( 944): iptables terminated by exit(1)
E/Netd ( 944): exec() res=0, status=256 for /system/bin/iptables -t
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
I/ip6tables( 944): ip6tables: No chain/target/match by that name.
I/ip6tables( 944): ip6tables terminated by exit(1)
E/Netd ( 944): exec() res=0, status=256 for /system/bin/ip6tables -t
mangle -A INPUT -i tun0 -j MARK --set-mark 0x30066
E/Netd ( 944): failed to change iptables rule that sets incoming
packet mark
E/Netd ( 944): failed to add interface tun0 to VPN netId 102
E/ConnectivityService( 1140): Exception adding interface:
java.lang.IllegalStateException: command '27 network interface add 102
tun0' failed with '400 27 addInterfaceToNetwork() failed (Remote I/O error)'
E/ConnectivityService( 1140): Unexpected mtu value: 0, tun0
D/ConnectivityService( 1140): Adding Route [0.0.0.0/1 -> 0.0.0.0 tun0]
to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): Exception in addRoute for non-gateway:
java.lang.IllegalStateException: command '28 network route add 102 tun0
0.0.0.0/1' failed with '400 28 addRoute() failed (No such device)'
D/ConnectivityService( 1140): Adding Route [128.0.0.0/1 -> 0.0.0.0 tun0]
to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): Exception in addRoute for non-gateway:
java.lang.IllegalStateException: command '29 network route add 102 tun0
128.0.0.0/1' failed with '400 29 addRoute() failed (No such device)'
D/ConnectivityService( 1140): Adding Route [::/0 unreachable] to network 102
E/Netd ( 944): interface tun0 not assigned to any netId
E/ConnectivityService( 1140): no dns provided for netId 102, so using
defaults
D/ConnectivityService( 1140): Setting Dns servers for network 102 to
[/8.8.8.8]
D/Nat464Xlat( 1140): requiresClat: netType=17, connected=true,
hasIPv4Address=true
D/ConnectivityService( 1140): notifyType IP_CHANGED for NetworkAgentInfo
[VPN () - 102]
D/ConnectivityService( 1140): notifyType PRECHECK for NetworkAgentInfo
[VPN () - 102]
D/ConnectivityService( 1140): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): notifyType AVAILABLE for NetworkAgentInfo
[VPN () - 102]
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): DefaultState{
when=0 what=532481 target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): Connected
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140):
EvaluatingState{ when=0 what=532486 arg1=1
target=com.android.internal.util.StateMachine$SmHandler }
D/NetworkMonitorNetworkAgentInfo [VPN () - null]( 1140): Validated
D/ConnectivityManager.CallbackHandler( 1314): CM callback handler got
msg 524290
D/ConnectivityService( 1140): Validated NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): rematching NetworkAgentInfo [VPN () - 102]
D/ConnectivityService( 1140): notifyType AVAILABLE for NetworkAgentInfo
[VPN () - 102]
Errors like in my first message. And client turns green like everything
is ok with the tunnel.
Tunnel interface itself actually created. Routes are the ones who failed
to install.
I've tried to create routes manually with "ip route" from busybox and it
works.
root@generic_x86:/data # ./busybox ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc pfifo_fast
qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
inet6 fe80::5054:ff:fe12:3456/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
4: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast qlen 500
link/[65534]
inet 192.168.254.195/32 scope global tun0
root@generic_x86:/data # ./busybox ip route
0.0.0.0/1 dev tun0
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 src 10.0.2.15
128.0.0.0/1 dev tun0
root@generic_x86:/data # ./busybox ip route add 192.168.100.1 via
10.0.2.2 dev eth0
root@generic_x86:/data # ./busybox ip route add 128.0.0.0/1 dev tun0
root@generic_x86:/data # ./busybox ip route add 0.0.0.0/1 dev tun0
root@generic_x86:/data # ./busybox ip route
0.0.0.0/1 dev tun0
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 src 10.0.2.15
128.0.0.0/1 dev tun0
192.168.100.1 via 10.0.2.2 dev eth0
root@generic_x86:/data # ping 192.168.254.2
PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
64 bytes from 192.168.254.2: icmp_seq=1 ttl=63 time=3.19 ms
64 bytes from 192.168.254.2: icmp_seq=2 ttl=63 time=4.19 ms
64 bytes from 192.168.254.2: icmp_seq=3 ttl=63 time=3.67 ms
64 bytes from 192.168.254.2: icmp_seq=4 ttl=63 time=3.09 ms
It is looking like my emulator miss some kernel modules. Actually i
think it miss all the modules. Can't find single one of it.
Some of iptables functionality built-in into kernel. But some other
doesn't.
On 11/26/2014 11:04 PM, Sam Johnson wrote:
I have run into a similar situation while running 1.4 on Android 5.0.
I have it running on a physical device (nexus 4) and I run into an
error where it fails to build the tunnel:
11-26 15:02:14.772: I/charon(28997): 04[DMN] setting up TUN device for
CHILD_SA android{1}
11-26 15:02:14.799: I/charon(28997): 04[LIB] builder: failed to build
TUN device
11-26 15:02:14.799: I/charon(28997): 04[DMN] failed to setup TUN device
It connects fine on my KitKat device but it seems that something must
have changed with Android 5.0. Any insight would be great. Would love
to help in anyway I can to get this working.
Best,
Sam
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
