Tuesday, November 6, 2012

Android ICS L2TP/IPSec `malformed payload in packet' error

When you try to connect to an OpenSWAN L2TP/IPSec PSK using an android device of version 4.0.x (Ice Cream Sandwich), you may get the following repeated errors:
Nov 7 15:13:42 vpnserver pluto[20906]: packet from 200.143.118.22:500: next payload type of ISAKMP Message has an unknown value: 133
Nov 7 15:13:42 vpnserver pluto[20906]: | payload malformed after IV
Nov 7 15:13:42 vpnserver pluto[20906]: |
Nov 7 15:13:42 vpnserver pluto[20906]: packet from 200.143.118.22:500: sending notification PAYLOAD_MALFORMED to 200.143.118.22:500
and will get a connection timeout.  That is because of a bug in ICS.  Android ICS seems to mess up the payload which causes this error: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not (see rfc 3947).

There has been a bug report about this.  It should have been fixed in Android 4.1.x.   For 4.0.x (ICS) device, fortunately, there is an OpenSWAN workaround available at:
http://people.redhat.com/pwouters/osw/openswan-2.6.38-android-ics-natoa.patch
To resolve your issue, download this patch and recompile your openswan.  If you compile openswan from SRPMS, make sure to change openswan.spec, add `-DSUPPORT_BROKEN_ANDROID_ICS' to make option `USERCOMPILE' in your openswan.spec, like this:
%{__make} \
USERCOMPILE="-g %{optflags} -fPIE -pie -DSUPPORT_BROKEN_ANDROID_ICS" \
......
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)