subject:"Re\: L2TP\/IPSec via npppd won't work with Android 6.0.1"

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

2016-03-30 Thread Sly Midnight

Thank you!

I will try this.

I have confirmed it wasn't due to last year's OpenBSD 5.7 to 5.8 upgrade
as I built a VM with 5.7 using same settings and get exactly the same
behavior.  This was triple confirmed by being able to connect with iOS
on an iPhone, Windows 10, Chromebook (with md5 hmacs only) and even a
tablet running an older version of Android.  Here is the link to the bug
if anyone is interested.  But I will try the workaround offered by Yasuoka.

In the mean time, I have confirmed there is a Google Android bug
reported (by many people) confirming this is actually an issue with
Android not OpenBSD (or the myriad other VPN routers listed in the bug
report).  Though I very much appreciate understanding the underlying
reason as like Mattieu said, tweaking ipsec.conf for 3 days yielded no
solution.

https://code.google.com/p/android/issues/detail?id=196939

Thanks again!

Sly


On 03/30/2016 02:18 AM, YASUOKA Masahiko wrote:
> On Tue, 29 Mar 2016 11:37:14 +0200
> Mattieu Baptiste  wrote:
>> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>>> I don't mean to bring up an old thread, but I was wondering if anyone
>>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>>> (preferably the version on the Nexus line of devices) connecting to
>>> ipsec/l2tp.
>>>
>>> I had this working late last year some time and hadn't used it in a few
>>> months.  When I went to use it again a few days ago it didn't work at
>>> all.  After rebooting my phone and even trying it on my tablet that
>>> coincidentally runs the exact same version of stock Android 6.0.1, it
>>> too didn't work there.
>> I have the very same problem.
>> To me, It's caused by some Android updates. I saw this since 6.0, but
>> some security updates near 5.1.1 seems to trigger the same behavior.
>> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
>> did not have the time to dig further...
> My colleague and I also hit this issue.
>
> This issue is caused by Android, it sends ESP packets with wrong
> padding size when SHA2-256 is selected for HMAC.  It seems that
> Android is using an old ietf draft for SHA2-256, but OpenBSD is using
> RFC 4868.
>
> When the issue occurs,
>
>   XXX packets with bad payload size or padding received
>
> counter in "netstat -sp esp" will be incremented.
>
> We can force using MD5 or SHA for HMAC to workaround this issue.  To
> do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
> "-K" from isakmpd_flags.
>
>   Authorizer: "POLICY"
>   Comment: This is test
>   Licensees: "passphrase:PASSPHRASE"
>   conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present 
> == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> 
> "true";
>
> --yasuoka

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

2016-03-30 Thread Mattieu Baptiste

On Wed, Mar 30, 2016 at 8:18 AM, YASUOKA Masahiko  wrote:
> On Tue, 29 Mar 2016 11:37:14 +0200
> Mattieu Baptiste  wrote:
>> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>>> I don't mean to bring up an old thread, but I was wondering if anyone
>>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>>> (preferably the version on the Nexus line of devices) connecting to
>>> ipsec/l2tp.
>>>
>>> I had this working late last year some time and hadn't used it in a few
>>> months.  When I went to use it again a few days ago it didn't work at
>>> all.  After rebooting my phone and even trying it on my tablet that
>>> coincidentally runs the exact same version of stock Android 6.0.1, it
>>> too didn't work there.
>>
>> I have the very same problem.
>> To me, It's caused by some Android updates. I saw this since 6.0, but
>> some security updates near 5.1.1 seems to trigger the same behavior.
>> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
>> did not have the time to dig further...
>
> My colleague and I also hit this issue.

[...]

> We can force using MD5 or SHA for HMAC to workaround this issue.  To
> do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
> "-K" from isakmpd_flags.
>
>   Authorizer: "POLICY"
>   Comment: This is test
>   Licensees: "passphrase:PASSPHRASE"
>   conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present 
> == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> 
> "true";

Thank you, it works flawlessly with that change.

-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

2016-03-30 Thread YASUOKA Masahiko

On Tue, 29 Mar 2016 11:37:14 +0200
Mattieu Baptiste  wrote:
> On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
>> I don't mean to bring up an old thread, but I was wondering if anyone
>> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
>> (preferably the version on the Nexus line of devices) connecting to
>> ipsec/l2tp.
>>
>> I had this working late last year some time and hadn't used it in a few
>> months.  When I went to use it again a few days ago it didn't work at
>> all.  After rebooting my phone and even trying it on my tablet that
>> coincidentally runs the exact same version of stock Android 6.0.1, it
>> too didn't work there.
> 
> I have the very same problem.
> To me, It's caused by some Android updates. I saw this since 6.0, but
> some security updates near 5.1.1 seems to trigger the same behavior.
> I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
> did not have the time to dig further...

My colleague and I also hit this issue.

This issue is caused by Android, it sends ESP packets with wrong
padding size when SHA2-256 is selected for HMAC.  It seems that
Android is using an old ietf draft for SHA2-256, but OpenBSD is using
RFC 4868.

When the issue occurs,

  XXX packets with bad payload size or padding received

counter in "netstat -sp esp" will be incremented.

We can force using MD5 or SHA for HMAC to workaround this issue.  To
do this, put the text below to /etc/isakmpd/isakmpd.policy and remove
"-K" from isakmpd_flags.

  Authorizer: "POLICY"
  Comment: This is test
  Licensees: "passphrase:PASSPHRASE"
  conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == 
"yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";

--yasuoka

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

2016-03-29 Thread Mattieu Baptiste

On Tue, Mar 29, 2016 at 5:43 AM, Sly Midnight  wrote:
> Hello,
>
> I don't mean to bring up an old thread, but I was wondering if anyone
> else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
> (preferably the version on the Nexus line of devices) connecting to
> ipsec/l2tp.
>
> I had this working late last year some time and hadn't used it in a few
> months.  When I went to use it again a few days ago it didn't work at
> all.  After rebooting my phone and even trying it on my tablet that
> coincidentally runs the exact same version of stock Android 6.0.1, it
> too didn't work there.

Hi,

I have the very same problem.
To me, It's caused by some Android updates. I saw this since 6.0, but
some security updates near 5.1.1 seems to trigger the same behavior.
I've tried to tweak ipsec.conf like you without luck. Unfortunately, I
did not have the time to dig further...

Regards.
-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

Re: L2TP/IPSec via npppd won't work with Android 6.0.1

4 matches

Site Navigation

Mail list logo

Footer information