FORUMS

VPNC to FritzBox works!!!!

86 posts
Thanks Meter: 8
 
By mp1405, Member on 5th September 2010, 11:25 AM
Post Reply Email Thread
3rd January 2011, 02:07 PM |#11  
Junior Member
Thanks Meter: 0
 
More
@sky01x

Hi Sky, where You have found the right tun.ko?

Thanks for a hint.
To.
3rd January 2011, 02:17 PM |#12  
Junior Member
Thanks Meter: 0
 
More
@lier99

I got the tun.ko from:

http://forum.xda-developers.com/showthread.php?t=793712

Best regards
4th January 2011, 12:07 PM |#13  
Junior Member
Flag Spenge
Thanks Meter: 0
 
More
Smile
I9000XXJPY
Kernel 2.6.32.9 hardcore k12h-500hz #2
XXJPY_Doc_v7_Kitchen

Fritzbox 7270

Thanks for the apk and the howto,
but still a little trouble.
The Fritzbox cfg is changed according to ipfone config from AVM.
The VPN Connections says connected.
The Fritzbox says Status green, I have an internet IP, I see my asigned IP, but for the local net I get 0.0.0.0. From there I do not get into my local network. When ever I try to change the Fritzbox cfg to

phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.1.203;
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 192.168.1.0 255.255.255.0 192.168.1.203 255.255.255.255";

like my Notebook runs fine on the tunel, the connection failed.

Any idea?
4th January 2011, 01:17 PM |#14  
Junior Member
Thanks Meter: 0
 
More
VPN dont work via GSM/UMTS connection
Hello,

need help my VPN dont work via GSM/UMTS connection.

My configuration:
FritzBox 7170 with Firmware-Version 29.04.86-18946 (Laborversion)
and VPN configuerd as IPhone.
Dynamic DNS is aktiv and ready.
Handy HTC Desire with LeeDriod v2.03c
VPNC from mp1405 singned-myVPNC.apk

now if I'm connected via WLAN to my FritzBox I have a VPN connection,
but via GSM or UMTS I get no connection - why?

Thanks
4th January 2011, 04:20 PM |#15  
Junior Member
Thanks Meter: 0
 
More
Thanks for your great work! My 7270 shows connection established.

However there seems to be a problem with your vpnc-script. I'm getting a

Device "default via <UMTS-IP> dev rmnet0 " does not exist.
Error: either "to" is duplicate, or "hoplimit" is a garbage.
backing up dns settings
vpnc-script ran to completion

on the console. Maybe I can further look into it tonight.

#Running Leedroid2.3a
24th February 2011, 09:00 AM |#16  
mcbyte_it's Avatar
Senior Member
Thanks Meter: 312
 
More
Quote:
Originally Posted by mp1405

----------------------------------------------------------------------------
update 20.12.2010
----------------------------------------------------------------------------
New APK to install on a rooted Android device. After installing you can connet via IPSEC VPN to a cisco device and to the FritzBox with the latest Firmware without modifying the FritzBox

So, do you mean that i need only to install the attached signed-myVPNC.apk and i can connect to my fritz without doing the iphone patching procedure on the fritz side? or i need to do it anyway?

does this apk work with gingerbread too?

update:
i imported the modified vpn config to my fritz, installed the signed VPN Connect.apk and set up the account, and tried to connect, it says connected on both Android and my fritz, but i cannot connect to addresses inside my fritz.

the build of android i use (NexusHD2 - Gingerbread 2.2) seems to have a tun.so file, so i don't need to import it, right?

what else can i do ??
5th March 2011, 08:51 PM |#17  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by mp1405

...
For all who wants to use the FritzPhone App to make phonecalls via vpnc this will not work because the app did not use the 3G interface (only wlan). Download the app "3cx" from the market and in the setup menu "integration" you will find "Enable 3G", thats all.

Hi,

Thank you for this. The last thing that I will not get to work is to connect with Firtz!box fon to the box accross 3g

I have downloaded the 3cx an enabled "Enable 3g" without any other settings in the profile. But in fritz!box fon there the "not connected" is remaining. Any other hints?

Android "DHD Leedroid 2.2.2"
FritzBox "7270 Firmware 54.04.88"

Thx
2nd July 2011, 11:24 PM |#18  
LordDeath's Avatar
Senior Member
Thanks Meter: 106
 
More
I am running a HD2 with the latest CM7 ROM and I have a FritzBox 3270 with the latest firmware.
Thanks to this I can finally establish a VPN connection with my phone.
29th July 2011, 08:29 PM |#19  
Junior Member
Thanks Meter: 0
 
More
not work for me

Fritzbox config:
Quote:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "my mail";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 192.168.178.201;
remoteid {
key_id = "my mail";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "my key";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
xauth {
valid = yes;
username = "my login";
passwd = "mypass";
}
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.178.201;
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist =
"permit ip 192.168.178.0 255.255.255.0 192.168.178.201 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

And log from android (MIUI):
Quote:

pre-init phase...
connect phase...
vpnc-script ran to completion
quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, expect on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator

vpnc version 0.5.3-mjm1-140M
S1 init_sockaddr
[2011-07-29 21:05:48]
S2 make_socket
[2011-07-29 21:05:48]
S3 setup_tunnel
[2011-07-29 21:05:48]
using interface tun0
S4 do_phase1_am
[2011-07-29 21:05:48]
S4.1 create_nonce
[2011-07-29 21:05:48]
S4.2 dh setup
[2011-07-29 21:05:48]
S4.3 AM packet_1
[2011-07-29 21:05:48]
S4.4 AM_packet2
[2011-07-29 21:05:49]
(Xauth)
(DPD)
(Nat-T 03)
(unknown)
got ike lifetime attributes: 3600 seconds
IKE SA selected psk+xauth-aes256-sha1
ignoring that peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-03)
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
S4.5 AM_packet3
[2011-07-29 21:05:49]
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
NAT-T mode, adding non-esp marker
S4.6 cleanup
[2011-07-29 21:05:49]
S5 do_phase2_xauth
[2011-07-29 21:05:49]
S5.1 xauth_start
[2011-07-29 21:05:49]
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.4 xauth type check
[2011-07-29 21:05:49]
S5.5 do xauth authentication
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.6 process xauth response
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.7 xauth done
[2011-07-29 21:05:49]
S6 do_phase2_config
[2011-07-29 21:05:49]
S6.1 phase2_config send modecfg
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S6.2 phase2_config receive modecfg
[2011-07-29 21:05:50]
got save password setting: 0
got address 192.168.178.201
S7 setup_link (phase 2 + main_loop)
[2011-07-29 21:05:50]
S7.0 run interface setup script
[2011-07-29 21:05:50]
S7.1 QM_packet1
[2011-07-29 21:05:50]
S7.2 QM_packet2 send_receive
[2011-07-29 21:05:50]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-07-29 21:05:50]
S7.4 process and skip lifetime notice
[2011-07-29 21:05:50]
S7.5 QM_packet2 check reject offer
[2011-07-29 21:05:50]

---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
NAT-T mode, adding non-esp marker
NAT-T mode, adding non-esp marker
disconnect phase...
ip: can't find device 'tun0'
ip: an inet prefix is expected rather than &quot;&quot;
ip: RTNETLINK answers: No such process
DNS not restored (no active default gateway)

Please help me. What I should do ?
3rd August 2011, 02:28 PM |#20  
woprr's Avatar
Senior Member
Thanks Meter: 9
 
More
If this helps the developers to keep the stuff up to date, here's the Handshake from a fritzbox 7240 v. Firmware-Version 73.05.05 with default vpn config:

Code:
~$ ike-scan -v -s 0 --aggressive --id=xxxxxxxxxxxxx fritz.box
DEBUG: pkt len=380 bytes, bandwidth=56000 bps, int=58285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x Aggressive Mode Handshake returned 
HDR=(CKY-R=a79e96b1e2acf788) 
SA=(Enc=3DES Hash=SHA1 
Auth=PSK Group=2:modp1024 
LifeType=Seconds LifeDuration=28800) 
KeyExchange(128 bytes) 
Nonce(16 bytes) 
ID(Type=ID_IPV4_ADDR, Value=xxxxxxxx) 
Hash(20 bytes) 
Notification=(Type=RESPONDER-LIFETIME, SPI=741b17c61bce146aa79e96b1e2acf788, 
Data=800b0001800c0e10) 
VID=09002689dfd6b712 (XAUTH) 
VID=afcad71368a1f1c96b8696fc77570100 
(Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.269 seconds (3.72 hosts/sec).  1 returned handshake; 0 returned notify
The fritzbox only answers aggressive mode, this may be the reason for faulting android vpn client, see android system logs...

Code:
Get osmonitor app exported logcat log (no permissions over sshfs):
$ scp htc:/mnt/sdcard/log1 .
grep it for ipsec vpn racoon:

08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)

08/03/2011 17:01:44 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +312ms
08/03/2011 17:01:57 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
	at com.android.server.vpn.VpnService.getIp(VpnService.java:108)
	at com.android.server.vpn.VpnService.onConnect(VpnService.java:135)
	at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:01:58 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500
08/03/2011 17:02:06 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnEditor: +479ms
08/03/2011 17:03:39 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +328ms
08/03/2011 17:03:49 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
	at com.android.server.vpn.VpnService.waitUntilConnectedOrTimedout(VpnService.java:210)
	at com.android.server.vpn.VpnService.onConnect(VpnService.java:139)
	at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:04:35 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500

08/03/2011 17:01:57 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:01:58 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Start VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is running after 0 msec
08/03/2011 17:03:49 [DEBUG] racoon(7090) Waiting for control socket
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) service not yet listen()ing; try again
08/03/2011 17:03:50 [DEBUG] racoon(7090) Received 3 arguments
08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used as isakmp port (fd=10)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used as isakmp port (fd=11)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] SProxy_racoon(6207) got data from control socket: 3
08/03/2011 17:03:52 [INFORMATION] racoon(7090) no in-bound policy found: 192.168.0.3/32[1701] 192.168.0.106/32[0] proto=udp dir=in
08/03/2011 17:03:52 [INFORMATION] racoon(7090) IPsec-SA request for 192.168.0.3 queued due to no phase1 found.
08/03/2011 17:03:52 [INFORMATION] racoon(7090) initiate new phase 1 negotiation: 192.168.0.106[500]<=>192.168.0.3[500]
08/03/2011 17:03:52 [INFORMATION] racoon(7090) begin Identity Protection mode.
08/03/2011 17:04:23 [ERROR] racoon(7090) phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.0.3[0]->192.168.0.106[0] 
08/03/2011 17:04:23 [INFORMATION] racoon(7090) delete phase 2 handler.
08/03/2011 17:04:23 [INFORMATION] racoon(7090) Bye
08/03/2011 17:04:35 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
I'm trying to adapt the fritzbox vpn config to match the faulting android 2.3.3 built-in vpn-client's requirements, further logs from other vpn-clients will follow.

The android vpn asks for xauth credentials, trying to configure fritzbox for xauth...

no success,

android racoon still phase 1 waiting timeout, changing fritzbox from agressive to main mode...

no success, still phase1 time out, taking and analyzing wireshark dump from
http://fritz.box//html/capture.html (if ath0 or guest1 etc)

Ok, here's what the android racoon sends to the fritz.box:

Code:
$ /usr/sbin/tcpdump -vvv -r fritz-ath0.eth src or dst port 500 or src or dst port l2f
reading from file fritz-ath0.eth, link-type EN10MB (Ethernet)
00:29:57.082587 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:07.104380 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:17.123829 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:27.145065 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:29.149902 IP (tos 0x0, ttl 64, id 51970, offset 0, flags [DF], proto UDP (17), length 97)
    htc.fritz.box.51610 > fritz.box.l2f: [udp sum ok]  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(798) *RECV_WIN_SIZE(1)
Code:
$ ike-scan -v -s 0 fritz.box
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
---	Pass 1 of 3 completed
---	Pass 2 of 3 completed
---	Pass 3 of 3 completed

Ending ike-scan 1.9: 1 hosts scanned in 2.445 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify
wireshark compatible file is attached.

I've found the allowed ipsec strategies for /bin/avmike in

Code:
# find / -name *ipsec*
/etc/default.Fritz_Box_7240/1und1/ipsec.cfg
/etc/default.Fritz_Box_7240/avm/ipsec.cfg
# 
# 
# find / -name *ike*  
/bin/avmike
/lib/libikeapi.so
/lib/libikeapi.so.2
/lib/libikeapi.so.2.0.0
/lib/libikecrypto.so
/lib/libikecrypto.so.1
/lib/libikecrypto.so.1.0.0
/lib/libikeossl.so
/lib/libikeossl.so.1
/lib/libikeossl.so.1.0.0
/var/run/avmike.pid
/var/tmp/csem/M-ikeapi-reply-dsld-W
/var/tmp/csem/M-ikeapi-reply-dsld-R
/var/tmp/csem/M-ikeapi-request-dsld-W
/var/tmp/csem/M-ikeapi-request-dsld-R
# 
# find / -name *vpn*
/etc/default.Fritz_Box_7240/1und1/vpn.cfg
/etc/default.Fritz_Box_7240/avm/vpn.cfg
/usr/share/ctlmgr/libvpnstat.so
/usr/www/1und1/html/de/internet/vpn.frm
/usr/www/1und1/html/de/internet/vpn.html
/usr/www/1und1/html/de/internet/vpn.js
/usr/www/1und1/html/de/menus/menu2_vpn.html
/usr/www/1und1/html/de/vpn
/usr/www/1und1/html/vpn_import_nok_reboot.html
/usr/www/1und1/html/vpn_import_ok_reboot.html
/usr/www/1und1/html/vpn_import_pwd_nok_reboot.html
/usr/www/avm/html/de/internet/vpn.frm
/usr/www/avm/html/de/internet/vpn.html
/usr/www/avm/html/de/internet/vpn.js
/usr/www/avm/html/de/menus/menu2_vpn.html
/usr/www/avm/html/de/vpn
/usr/www/avm/html/vpn_import_nok_reboot.html
/usr/www/avm/html/vpn_import_ok_reboot.html
/usr/www/avm/html/vpn_import_pwd_nok_reboot.html
/var/vpnroutes
/var/flash/vpn.cfg
/var/tmp/vpncfgimport.eff
#
# avmike -h
illegal option 'h'
usage: avmike avm_ike [options]
options:
  -?                 - print this help
  -D STRING          - switch debug logs on. (NULL)
  -d                 - debug service. (NOTSET)
  -f                 - run in forground. (NOTSET)
  -s                 - stop daemon. (NOTSET)
  -v                 - verbose. (NOTSET)
  -p STRING          - Pidfile. ("/var/run/avmike.pid")
  -w                 - [Hit return to continue]. (NOTSET)
  -p INTEGER         - port to use. (0)
ISAKMP/IPSec negoiation server
Trying to enable debug logs... debug options silently disabled in release build.

Matching fritzbox factory ike config for Android 2.3.3 racoon is phase1ss = "racoon-dh2-aes-sha", but --lifetime=3600 or datatype length or formatting, or wrong other config file settings:

Code:
# ike-scan fritz.box -M --retry=1 --trans=7/128,2,1,2 --lifetime=3600
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9: 1 hosts scanned in 0.532 seconds (1.88 hosts/sec).  0 returned handshake; 0 returned notify

19:37:36.599736 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116)
    tom1.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 84cdf79f56296b8b->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=aes)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024)(type=keylen value=0080)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080))))
No answer from avmike, trying Android... no success.

Surely config file mismatch, see http://www.ip-phone-forum.de/showthr...=1#post1672919 and search there under avm for posts containing phase1_mode_idp.

No. Tried to override the /etc/default/ipsec.cfg inline in vpn.cfg and > /var/flash/vpn.cfg but the box does all to prevent any tricks to change the ipsec.cfg, even removing the ipsec part from vpn.cfg when in comments.

Giving up and will remove the proprietary crap avm vpn daemon from the box, install something like freetz with racoon.

For those not able/not want to root their phone here's the solution for fritzbox:
http://www.ip-phone-forum.de/showthr...37&pagenumber=
http://freetz.org/ticket/854
(Mostly german, use google translator)
Attached Files
File Type: zip gingerbread-isakmp01.eth.zip - [Click for QR Code] (502 Bytes, 67 views)
10th August 2011, 06:25 AM |#21  
Senior Member
Thanks Meter: 22
 
More
Hi,

does this work with the tun.ko included in the Virtous Unity 1.31 ROM (Desire HD)?
Or do i need a special tun.ko?
I installed the patched vpnc, setted my fritzbox up correctly and tried to connect but it does not work. Logcat shows me "tun0 is not a tetherable iface, ignoring"

Thx
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes