Android 4 ICS: VPN with IPsec PSK fails

I really like Android Ice Cream Sandwich on my Google Nexus S except for one thing: IPsec has a bug and is unusable. The bug was already reported in December 2011. Unfortunately there is no feedback from Google whatsoever. And it’s not like this bug is hard to verify. Install CentOS 6.2 on a VM, configure Openswan and you can see that setting up an IPsec PSK link between Android ICS and Openswan fails because Android ICS seems to mess up the payload which causes this error:

Starting in March both Samsung and HTC will start to roll out Android ICS to (some of) their current phones. Unless the Android Development Team fixes this bug there will be millions and millions of users who can no longer setup a secure tunnel using IPsec. Let’s hope it does not get to that.

13 thoughts on “Android 4 ICS: VPN with IPsec PSK fails”

  1. @Adam S
    In my experience the Openswan mailing list is quite helpful. If you want to make sure that your config is ok just post it to the mailing list asking if it’s ok. I have ICS 4.0.4 on my Nexus S and will give 2.6.38 a try but that will be next week earliest.

  2. Thanks, Patrick!

    I’ll post to the list. Just an FYI… I did install 2.6.38 from source tonight and received the same/similar error messages. I’ll take your advice and post to their list.

    Perhaps it’s an issue with ICS 4.0.2 (or perhaps it’s a configuration oversight on my part).

    Regards,
    Adam

  3. I manually installed 2.6.38dr2-9 and still had problems with stock Android 4.0.2.

    Apr 15 23:26:42 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Apr 15 23:26:42 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: malformed payload in packet
    Apr 15 23:26:42 SERVER_NAME pluto[3228]: | payload malformed after IV
    Apr 15 23:26:42 SERVER_NAME pluto[3228]: | 30 d2 c9 ec db 49 ba 91 7c 8d 3f a3 5a 2b 53 3e
    Apr 15 23:26:42 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: sending notification PAYLOAD_MALFORMED to :10463
    Apr 15 23:26:45 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
    Apr 15 23:26:45 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: malformed payload in packet
    Apr 15 23:26:45 SERVER_NAME pluto[3228]: | payload malformed after IV
    Apr 15 23:26:45 SERVER_NAME pluto[3228]: | 30 d2 c9 ec db 49 ba 91 7c 8d 3f a3 5a 2b 53 3e
    Apr 15 23:26:45 SERVER_NAME pluto[3228]: “l2tp-psk”[7] #5: sending notification PAYLOAD_MALFORMED to :10463

    1. Hi Adam. First I would update to 2.6.38 final and test again. If it still does not work then please report it on the Openswan mailing list. Make sure the subject mentions that it still does not work with 2.6.38.

  4. Quick update:

    One of the Openswan developers gave me an account on a test box that was running a development version of Openswan so he could see what was going on (thanks Paul!). The connection between the Nexus S with Android 2.3.6 and the test box was established successfully. So there is a fix and it will be part of Openswan 2.6.38. Hopefully the fix will also be backported to RHEL 6.2 Openswan 2.6.32.

  5. I was going mad trying to figure out what was wrong with my VPN setup :S
    It seems to be an interoperability problem with racoon (on android side) and openswan/strongswan…

  6. Going to try this out later for the Galaxy Nexus. Also have a Evo running Gingerbread that I was going to try it out on.

    Thanks for the info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.