FORUMS
Post Reply Email Thread
YES with this patched vpnc you can connect from a rooted desire (or any other android device) to your AVM fritzbox with the original firmware. The included vpnc-script will help to fix the routing problems.

You need a rooted Android device with an tun.ko module

First setup your fritzbox like the iphone setup which is described at the avm portal (google-> "avm iphone vpn")

Install signed-FritzBox.apk to your phone.

Setup now your vpnc-gui and be happy.

--------------------------------------------------------------------------

Some detailed infos how to connect the Fritzbox with IPSEC via VPNC:

1.) you must use a IKE_ATTRIB_LIFE_DURATION = 3600 (seconds)
2.) you must use draft-ietf-ipsec-nat-t-ike-03

the original vpnc uses a IKE_ATTRIB_LIFE_DURATION with 2147483 (seconds) and only uses draft-ietf-ipsec-nat-t-ike-00 -> 02.

I change the timing to 3600 (seconds) and change the transformset 02 to 03.

Timing -> find in vpnc 000020C49B and change it to 0000000E10 (2x)
Transformset -> find in vpnc CD60464335DF21F87CFDB2FC68B6A448 and change it to 7D9419A65310CA6F2C179D9215529D56 (1x)

By the way these patch will help any vpnc user on every linux (i tested this with ubuntu and it works perfect)

----------------------------------------------------------------------------
update 20.12.2010

----------------------------------------------------------------------------
New APK to install on a rooted Android device. After installing you can connet via IPSEC VPN to a cisco device and to the FritzBox with the latest Firmware without modifying the FritzBox


For all who wants to use the FritzPhone App to make phonecalls via vpnc this will not work because the app did not use the 3G interface (only wlan). Download the app "3cx" from the market and in the setup menu "integration" you will find "Enable 3G", thats all.
Attached Files
File Type: apk signed-myVPNC.apk - [Click for QR Code] (411.5 KB, 10163 views)
The Following 3 Users Say Thank You to mp1405 For This Useful Post: [ View ] Gift mp1405 Ad-Free
23rd December 2010, 11:48 PM |#2  
Olli80's Avatar
Member
Thanks Meter: 1
 
More
Hi there!

Really nice one but I'm getting a forced closed when I push the connect button.

I'm using a SE X10 with android 2.1.........

Sometimes I hate my phone.......
25th December 2010, 10:51 AM |#3  
OP Member
Thanks Meter: 8
 
More
Merry Christmas.

Is your Device rooted and had the vpnc the exec permissions ?

Please install "Quick System Info" and check the loginfos via the Logcat.

Maybe in your Kernel the tun.ko is missing.
25th December 2010, 02:17 PM |#4  
Junior Member
Thanks Meter: 0
 
More
Hello

@mp1405

Thanks for the signed-FritzBox.apk. I finally got it running on my Samsung I9000 Froyo XXJPU and Fritzbox 7390

First I had also the FC because the tun.ko was missing. Now it works but but I have to load the kernel module every reboot in the konsole with insmod /system/lib/modules/tun.ko

I edited the file /init.rc with the line insmod /system/lib/modules/tun.ko but every reboot a "recovery" init.rc is loaded without my insmod line. There was also the tip to copy the tun.ko into /lib/modules/tun.ko but the tun.ko gets deleted after every reboot.

Kind regards
3rd January 2011, 02:07 PM |#5  
Junior Member
Thanks Meter: 0
 
More
@sky01x

Hi Sky, where You have found the right tun.ko?

Thanks for a hint.
To.
3rd January 2011, 02:17 PM |#6  
Junior Member
Thanks Meter: 0
 
More
@lier99

I got the tun.ko from:

http://forum.xda-developers.com/showthread.php?t=793712

Best regards
4th January 2011, 12:07 PM |#7  
Junior Member
Flag Spenge
Thanks Meter: 0
 
More
Smile
I9000XXJPY
Kernel 2.6.32.9 hardcore k12h-500hz #2
XXJPY_Doc_v7_Kitchen

Fritzbox 7270

Thanks for the apk and the howto,
but still a little trouble.
The Fritzbox cfg is changed according to ipfone config from AVM.
The VPN Connections says connected.
The Fritzbox says Status green, I have an internet IP, I see my asigned IP, but for the local net I get 0.0.0.0. From there I do not get into my local network. When ever I try to change the Fritzbox cfg to

phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.1.203;
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 192.168.1.0 255.255.255.0 192.168.1.203 255.255.255.255";

like my Notebook runs fine on the tunel, the connection failed.

Any idea?
4th January 2011, 01:17 PM |#8  
Junior Member
Thanks Meter: 0
 
More
VPN dont work via GSM/UMTS connection
Hello,

need help my VPN dont work via GSM/UMTS connection.

My configuration:
FritzBox 7170 with Firmware-Version 29.04.86-18946 (Laborversion)
and VPN configuerd as IPhone.
Dynamic DNS is aktiv and ready.
Handy HTC Desire with LeeDriod v2.03c
VPNC from mp1405 singned-myVPNC.apk

now if I'm connected via WLAN to my FritzBox I have a VPN connection,
but via GSM or UMTS I get no connection - why?

Thanks
29th July 2011, 08:29 PM |#9  
Junior Member
Thanks Meter: 0
 
More
not work for me

Fritzbox config:
Quote:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "my mail";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 192.168.178.201;
remoteid {
key_id = "my mail";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "my key";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
xauth {
valid = yes;
username = "my login";
passwd = "mypass";
}
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.178.201;
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist =
"permit ip 192.168.178.0 255.255.255.0 192.168.178.201 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

And log from android (MIUI):
Quote:

pre-init phase...
connect phase...
vpnc-script ran to completion
quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, expect on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator

vpnc version 0.5.3-mjm1-140M
S1 init_sockaddr
[2011-07-29 21:05:48]
S2 make_socket
[2011-07-29 21:05:48]
S3 setup_tunnel
[2011-07-29 21:05:48]
using interface tun0
S4 do_phase1_am
[2011-07-29 21:05:48]
S4.1 create_nonce
[2011-07-29 21:05:48]
S4.2 dh setup
[2011-07-29 21:05:48]
S4.3 AM packet_1
[2011-07-29 21:05:48]
S4.4 AM_packet2
[2011-07-29 21:05:49]
(Xauth)
(DPD)
(Nat-T 03)
(unknown)
got ike lifetime attributes: 3600 seconds
IKE SA selected psk+xauth-aes256-sha1
ignoring that peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-03)
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
S4.5 AM_packet3
[2011-07-29 21:05:49]
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
NAT-T mode, adding non-esp marker
S4.6 cleanup
[2011-07-29 21:05:49]
S5 do_phase2_xauth
[2011-07-29 21:05:49]
S5.1 xauth_start
[2011-07-29 21:05:49]
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.4 xauth type check
[2011-07-29 21:05:49]
S5.5 do xauth authentication
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.6 process xauth response
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.7 xauth done
[2011-07-29 21:05:49]
S6 do_phase2_config
[2011-07-29 21:05:49]
S6.1 phase2_config send modecfg
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S6.2 phase2_config receive modecfg
[2011-07-29 21:05:50]
got save password setting: 0
got address 192.168.178.201
S7 setup_link (phase 2 + main_loop)
[2011-07-29 21:05:50]
S7.0 run interface setup script
[2011-07-29 21:05:50]
S7.1 QM_packet1
[2011-07-29 21:05:50]
S7.2 QM_packet2 send_receive
[2011-07-29 21:05:50]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-07-29 21:05:50]
S7.4 process and skip lifetime notice
[2011-07-29 21:05:50]
S7.5 QM_packet2 check reject offer
[2011-07-29 21:05:50]

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
NAT-T mode, adding non-esp marker
NAT-T mode, adding non-esp marker
disconnect phase...
ip: can't find device 'tun0'
ip: an inet prefix is expected rather than ""
ip: RTNETLINK answers: No such process
DNS not restored (no active default gateway)

Please help me. What I should do ?
3rd August 2011, 02:28 PM |#10  
woprr's Avatar
Senior Member
Thanks Meter: 9
 
More
If this helps the developers to keep the stuff up to date, here's the Handshake from a fritzbox 7240 v. Firmware-Version 73.05.05 with default vpn config:

Code:
~$ ike-scan -v -s 0 --aggressive --id=xxxxxxxxxxxxx fritz.box
DEBUG: pkt len=380 bytes, bandwidth=56000 bps, int=58285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x Aggressive Mode Handshake returned 
HDR=(CKY-R=a79e96b1e2acf788) 
SA=(Enc=3DES Hash=SHA1 
Auth=PSK Group=2:modp1024 
LifeType=Seconds LifeDuration=28800) 
KeyExchange(128 bytes) 
Nonce(16 bytes) 
ID(Type=ID_IPV4_ADDR, Value=xxxxxxxx) 
Hash(20 bytes) 
Notification=(Type=RESPONDER-LIFETIME, SPI=741b17c61bce146aa79e96b1e2acf788, 
Data=800b0001800c0e10) 
VID=09002689dfd6b712 (XAUTH) 
VID=afcad71368a1f1c96b8696fc77570100 
(Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.269 seconds (3.72 hosts/sec).  1 returned handshake; 0 returned notify
The fritzbox only answers aggressive mode, this may be the reason for faulting android vpn client, see android system logs...

Code:
Get osmonitor app exported logcat log (no permissions over sshfs):
$ scp htc:/mnt/sdcard/log1 .
grep it for ipsec vpn racoon:

08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)

08/03/2011 17:01:44 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +312ms
08/03/2011 17:01:57 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
	at com.android.server.vpn.VpnService.getIp(VpnService.java:108)
	at com.android.server.vpn.VpnService.onConnect(VpnService.java:135)
	at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:01:58 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500
08/03/2011 17:02:06 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnEditor: +479ms
08/03/2011 17:03:39 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +328ms
08/03/2011 17:03:49 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
	at com.android.server.vpn.VpnService.waitUntilConnectedOrTimedout(VpnService.java:210)
	at com.android.server.vpn.VpnService.onConnect(VpnService.java:139)
	at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:04:35 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500

08/03/2011 17:01:57 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:01:58 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Start VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is running after 0 msec
08/03/2011 17:03:49 [DEBUG] racoon(7090) Waiting for control socket
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) service not yet listen()ing; try again
08/03/2011 17:03:50 [DEBUG] racoon(7090) Received 3 arguments
08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used as isakmp port (fd=10)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used as isakmp port (fd=11)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] SProxy_racoon(6207) got data from control socket: 3
08/03/2011 17:03:52 [INFORMATION] racoon(7090) no in-bound policy found: 192.168.0.3/32[1701] 192.168.0.106/32[0] proto=udp dir=in
08/03/2011 17:03:52 [INFORMATION] racoon(7090) IPsec-SA request for 192.168.0.3 queued due to no phase1 found.
08/03/2011 17:03:52 [INFORMATION] racoon(7090) initiate new phase 1 negotiation: 192.168.0.106[500]<=>192.168.0.3[500]
08/03/2011 17:03:52 [INFORMATION] racoon(7090) begin Identity Protection mode.
08/03/2011 17:04:23 [ERROR] racoon(7090) phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.0.3[0]->192.168.0.106[0] 
08/03/2011 17:04:23 [INFORMATION] racoon(7090) delete phase 2 handler.
08/03/2011 17:04:23 [INFORMATION] racoon(7090) Bye
08/03/2011 17:04:35 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
I'm trying to adapt the fritzbox vpn config to match the faulting android 2.3.3 built-in vpn-client's requirements, further logs from other vpn-clients will follow.

The android vpn asks for xauth credentials, trying to configure fritzbox for xauth...

no success,

android racoon still phase 1 waiting timeout, changing fritzbox from agressive to main mode...

no success, still phase1 time out, taking and analyzing wireshark dump from
http://fritz.box//html/capture.html (if ath0 or guest1 etc)

Ok, here's what the android racoon sends to the fritz.box:

Code:
$ /usr/sbin/tcpdump -vvv -r fritz-ath0.eth src or dst port 500 or src or dst port l2f
reading from file fritz-ath0.eth, link-type EN10MB (Ethernet)
00:29:57.082587 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:07.104380 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:17.123829 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:27.145065 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:29.149902 IP (tos 0x0, ttl 64, id 51970, offset 0, flags [DF], proto UDP (17), length 97)
    htc.fritz.box.51610 > fritz.box.l2f: [udp sum ok]  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(798) *RECV_WIN_SIZE(1)
Code:
$ ike-scan -v -s 0 fritz.box
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
---	Pass 1 of 3 completed
---	Pass 2 of 3 completed
---	Pass 3 of 3 completed

Ending ike-scan 1.9: 1 hosts scanned in 2.445 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify
wireshark compatible file is attached.

I've found the allowed ipsec strategies for /bin/avmike in

Code:
# find / -name *ipsec*
/etc/default.Fritz_Box_7240/1und1/ipsec.cfg
/etc/default.Fritz_Box_7240/avm/ipsec.cfg
# 
# 
# find / -name *ike*  
/bin/avmike
/lib/libikeapi.so
/lib/libikeapi.so.2
/lib/libikeapi.so.2.0.0
/lib/libikecrypto.so
/lib/libikecrypto.so.1
/lib/libikecrypto.so.1.0.0
/lib/libikeossl.so
/lib/libikeossl.so.1
/lib/libikeossl.so.1.0.0
/var/run/avmike.pid
/var/tmp/csem/M-ikeapi-reply-dsld-W
/var/tmp/csem/M-ikeapi-reply-dsld-R
/var/tmp/csem/M-ikeapi-request-dsld-W
/var/tmp/csem/M-ikeapi-request-dsld-R
# 
# find / -name *vpn*
/etc/default.Fritz_Box_7240/1und1/vpn.cfg
/etc/default.Fritz_Box_7240/avm/vpn.cfg
/usr/share/ctlmgr/libvpnstat.so
/usr/www/1und1/html/de/internet/vpn.frm
/usr/www/1und1/html/de/internet/vpn.html
/usr/www/1und1/html/de/internet/vpn.js
/usr/www/1und1/html/de/menus/menu2_vpn.html
/usr/www/1und1/html/de/vpn
/usr/www/1und1/html/vpn_import_nok_reboot.html
/usr/www/1und1/html/vpn_import_ok_reboot.html
/usr/www/1und1/html/vpn_import_pwd_nok_reboot.html
/usr/www/avm/html/de/internet/vpn.frm
/usr/www/avm/html/de/internet/vpn.html
/usr/www/avm/html/de/internet/vpn.js
/usr/www/avm/html/de/menus/menu2_vpn.html
/usr/www/avm/html/de/vpn
/usr/www/avm/html/vpn_import_nok_reboot.html
/usr/www/avm/html/vpn_import_ok_reboot.html
/usr/www/avm/html/vpn_import_pwd_nok_reboot.html
/var/vpnroutes
/var/flash/vpn.cfg
/var/tmp/vpncfgimport.eff
#
# avmike -h
illegal option 'h'
usage: avmike avm_ike [options]
options:
  -?                 - print this help
  -D STRING          - switch debug logs on. (NULL)
  -d                 - debug service. (NOTSET)
  -f                 - run in forground. (NOTSET)
  -s                 - stop daemon. (NOTSET)
  -v                 - verbose. (NOTSET)
  -p STRING          - Pidfile. ("/var/run/avmike.pid")
  -w                 - [Hit return to continue]. (NOTSET)
  -p INTEGER         - port to use. (0)
ISAKMP/IPSec negoiation server
Trying to enable debug logs... debug options silently disabled in release build.

Matching fritzbox factory ike config for Android 2.3.3 racoon is phase1ss = "racoon-dh2-aes-sha", but --lifetime=3600 or datatype length or formatting, or wrong other config file settings:

Code:
# ike-scan fritz.box -M --retry=1 --trans=7/128,2,1,2 --lifetime=3600
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9: 1 hosts scanned in 0.532 seconds (1.88 hosts/sec).  0 returned handshake; 0 returned notify

19:37:36.599736 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116)
    tom1.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 84cdf79f56296b8b->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=aes)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024)(type=keylen value=0080)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080))))
No answer from avmike, trying Android... no success.

Surely config file mismatch, see http://www.ip-phone-forum.de/showthr...=1#post1672919 and search there under avm for posts containing phase1_mode_idp.

No. Tried to override the /etc/default/ipsec.cfg inline in vpn.cfg and > /var/flash/vpn.cfg but the box does all to prevent any tricks to change the ipsec.cfg, even removing the ipsec part from vpn.cfg when in comments.

Giving up and will remove the proprietary crap avm vpn daemon from the box, install something like freetz with racoon.

For those not able/not want to root their phone here's the solution for fritzbox:
http://www.ip-phone-forum.de/showthr...37&pagenumber=
http://freetz.org/ticket/854
(Mostly german, use google translator)
Attached Files
File Type: zip gingerbread-isakmp01.eth.zip - [Click for QR Code] (502 Bytes, 67 views)
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes