IPsec from Android can't reach SE Host computer (Ubuntu)

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Wed Jan 25, 2017 6:33 pm

Hello Everyone!

After a complete failure with L3 Routing Site-2-Site VPN I decided to go forward with small steps. First of all I've established a very simple configuration:
* SoftEther VPN Server at Ubuntu PC (192.168.0.19), only one Virtual Hub, Local Bridge, IPsec enabled.
* Win10 Client (192.168.1.10)
* Android IPsec (192.168.1.20)

If I connect to VPN from Win10 with Client - everything works fine. I can reach remote network (192.168.0.0/24) and can even connect with the host Ubuntu PC (192.168.0.19). If I do tracert then I receive something like this:
C:\Users\admin>tracert 192.168.0.19

Tracing route to 192.168.0.19 [192.168.0.19]
over a maximum of 30 hops:

1 9 ms 8 ms 10 ms 192.168.0.10 [192.168.0.10]
2 9 ms 12 ms 8 ms 192.168.0.19 [192.168.0.19]

Trace complete.

or ping:
C:\Users\admin>ping 192.168.0.19

Pinging 192.168.0.19 with 32 bytes of data:
Reply from 192.168.0.45: Destination host unreachable.
Reply from 192.168.0.19: bytes=32 time=9ms TTL=63
Reply from 192.168.0.19: bytes=32 time=10ms TTL=63
Reply from 192.168.0.19: bytes=32 time=14ms TTL=63

Take a note about the first reply in ping. 192.168.0.45 is the address of Win10.

But if I enter to the network from any of mine Android devices with IPsec feature I can reach the remote network (192.168.0.0/24) but can't get access to the host Ubuntu PC (192.168.0.19). If I try to ping or traceroute it then I always receive something like that the destination host is unreachable.

I was trying to establish L3 Switch at the Server with only one interface and only one Hub in it and add routing: 192.168.0.19 255.255.255.255 192.168.0.1 but with no success....

What can be wrong with the set-up?

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Wed Jan 25, 2017 7:39 pm

The same situation is with OpenVPN.

I also tryed to add one more IPv4 address to the server... The result is the same. From Android I can't reach thee Server but can reach any host at the remote network.

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Fri Jan 27, 2017 12:58 pm

Small addition to the case after a deep research:

I have a suspicion that the problem is at Ubuntu Host due to User Space nature of SoftEhter VPN. When a packet arrives to Ubuntu Server that should be sent to VPN client the server just don't know what to do with it.

If we take a look at ARP table at Ubuntu server then we can see that it sees IP address of the client that belongs to the local network but don't have its MAC address. If we assign by hands the mac to the IP then it didn't help anyway.

But other devices in the local network can do ping and arping to the remote client without any problems.

The origin of this problem can be the User Space nature of Softehter. There is no VPN interface at Ubuntu and we can't assign routing rule at the Host Ubuntu to VPN interface.

Anyway the case is still open.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by moatazelmasry » Sat Jan 28, 2017 1:34 pm

Here are a couple of remarks

- How are you starting SE. User mode? using start or execsvc?
https://www.softether.org/4-docs/1-manu ... ting_Modes
- You can not be using IPSec to connect, since this protocol is not implemented in SE. You are probably using L2TP, SSL VPN or so
- In general you can not reach SE client by pinging it from the server. Since the server resides in a different subnet, say 192.168.0.1/24, while the client is in 192.168.30.1/24. The later is nowhere defined on the OS, where the ubuntu server is hosted

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Sat Jan 28, 2017 2:12 pm

moatazelmasry wrote:
> Here are a couple of remarks
>
> - How are you starting SE. User mode? using start or execsvc?
>
> https://www.softether.org/4-docs/1-manu ... ting_Modes
> - You can not be using IPSec to connect, since this protocol is not
> implemented in SE. You are probably using L2TP, SSL VPN or so
> - In general you can not reach SE client by pinging it from the server.
> Since the server resides in a different subnet, say 192.168.0.1/24, while
> the client is in 192.168.30.1/24. The later is nowhere defined on the OS,
> where the ubuntu server is hosted

IPsec (of cource it is L2TP) is implemented as well as OpenVPN in SE. Especially for compatibility with iOS and Android. When I connect to the remote network with IPsec then VPN Tunnerl Layer 2 is created. That means that my Android phone belongs to the remote network and it receives IP-address from remote DHCP and the address belongs to the remote netwrok.
In my case if server is 192.68.0.19 then android gets 192.168.0.205. So they are in the same network and should be able to communicate directly even without a router. But they don't.
At the same moment I can communicate from Android to any address at the remote network. Except VPN Host. And any device from the remote network can communicate with Android.

As to SE installation at Ubuntu. To date it runs under root with start.

PS. Keep in mind that using L3 with OpenVPN brings to the same result....

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by moatazelmasry » Sat Jan 28, 2017 3:01 pm

Ok. Let's use the name L2TP, because this is the protocol name you use.

Interesting to see whether you can reach SE UDP ports. Try for example port 500,4500,1701 like this:
nc -zv -u 192.68.0.19 500
I found an android app for netcat
https://play.google.com/store/apps/deta ... tcat&hl=de

Then depending on the result, please check 2 logs on the SE server:
iptables nat logging. Type:
iptables -t nat -A PREROUTING -p udp -j LOG --log-prefix="nat PREROUTING`:"
Then follow the file /var/log/syslog

Also follow the packet_log in SE directory and see whether stuff are being written there

If it is a yes to both question. Then please have a log at server_log of SE and post the result here.
When using Android VPN, are you choosing L2TP/IPSec PSK? are which method?

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Sat Jan 28, 2017 8:34 pm

moatazelmasry wrote:
> Ok. Let's use the name L2TP, because this is the protocol name you use.
>
It coud seems funny but it is written event at the ES Management Tool that it is L2TP over IPsec :)
> Interesting to see whether you can reach SE UDP ports. Try for example port
> 500,4500,1701 like this:
> nc -zv -u 192.68.0.19 500
> I found an android app for netcat
>
> https://play.google.com/store/apps/deta ... tcat&hl=de
>
> Then depending on the result, please check 2 logs on the SE server:
> iptables nat logging. Type:
> iptables -t nat -A PREROUTING -p udp -j LOG --log-prefix="nat
> PREROUTING`:"
> Then follow the file /var/log/syslog
>
> Also follow the packet_log in SE directory and see whether stuff are being
> written there
>
> If it is a yes to both question. Then please have a log at server_log of SE
> and post the result here.
> When using Android VPN, are you choosing L2TP/IPSec PSK? are which method?
Yes, at Android PSK method. Others are not supported by SE.

And now the tests:

Phase 1: Android is physically inside the network and I'm trying to use NetCat for Android to connect to:
UDP 500 - infinite connecting;
UDP 4500 - infinite connecting;
UDP 1701 - infinite connecting.
No records in SE logs.
I can ping 192.168.0.19 from Android.

Phase 2: Android is physically inside the network and I'm trying to use NetCat for Android to connect to the followinf ports and iptables addition:
UDP 500 - infinite connecting;
UDP 4500 - infinite connecting;
UDP 1701 - infinite connecting.
No records in SE logs.
I can ping 192.168.0.19 from Android.
No records in SysLog. But I'm not sure about iptables command.

Phase 3: Android is physically inside the network and I'm trying to use NetCat for Android to connect to the followinf ports and iptables addition slightly modificated:
UDP 500 - infinite connecting;
UDP 4500 - infinite connecting;
UDP 1701 - infinite connecting.
No records in SE logs.
I can ping 192.168.0.19 from Android.
SysLog captured the following requests from Android (That has 192.168.0.14 address):
Jan 28 23:14:59 J1800 kernel: [445763.023907] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:15:00 J1800 kernel: [445764.110511] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:15:01 J1800 kernel: [445765.201038] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:15:21 J1800 kernel: [445785.200995] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:15:41 J1800 kernel: [445805.242584] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:16:01 J1800 kernel: [445825.302986] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:16:21 J1800 kernel: [445845.365781] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
Jan 28 23:16:41 J1800 kernel: [445865.437991] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:84:38:38: SRC=192.168.0.14 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=69
But the lines above seems not relevant.

Phase 4: Android is connected via L2TP/IPsec from outside the network and I'm trying to use NetCat for Android to connect to the followinf ports and iptables addition slightly modificated:
UDP 500- infinite connecting;
UDP 4500- infinite connecting;
UDP 1701- infinite connecting.
One SE log, security one:
2017-01-28 23:23:51.649 The connection "CID-180" (IP address: 31.173.86.132, Host name: 31.173.86.132, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.22, Build: 9634) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "S5Duos".
2017-01-28 23:23:51.649 Connection "CID-180": Successfully authenticated as user "S5Duos".
2017-01-28 23:23:51.649 Connection "CID-180": The new session "SID-S5DUOS-[L2TP]-37" has been created. (IP address: 31.173.86.132, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2017-01-28 23:23:51.649 Session "SID-S5DUOS-[L2TP]-37": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2017-01-28 23:23:51.659 Session "SID-S5DUOS-[L2TP]-37": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 422, Client build number: 9634, Server product name: "SoftEther VPN Server (64 bit)", Server version: 422, Server build number: 9634, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "anonymous", Client IP address: "31.173.86.132", Client port number: 1701, Server host name: "192.168.0.19", Server IP address: "192.168.0.19", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "Dacha", Client unique ID: "9C1F602AB3DB8")
2017-01-28 23:23:52.698 Session "SID-LOCALBRIDGE-1": The DHCP server of host "5C-F4-AB-" (192.168.0.10) on this session allocated, for host "SID-S5DUOS-[L2TP]-37" on another session "CA-B1-57-", the new IP address 192.168.0.205.
No records relevant to .205 in SysLog
Then I was trying to Ping .19 from Android .205 - with no success and without any records in any log.

PS. The iptables command was
iptables -t nat -A PREROUTING -p udp -j LOG

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Sun Jan 29, 2017 6:59 am

By the way. Trying to solve the situation I enabled SecureNAT and got this pciture:
[attachment=0]Untitled picture.png[/attachment]
The end of the second paragraph took my attention. It may give us a clue: to connect to the virtual hub at VPN server from the server computer we need to establish client connect from the server to the same virtual hub?

PS. Just enabling SecureNAT I receive 100% processor load of the server... That is not good. And still no connection benween Android and Host server.
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by moatazelmasry » Sun Jan 29, 2017 2:35 pm

I suspect there is a problem with your SE configuration rather than network configuration.

Out of fun, can you run netcat on the Ubuntu machine hosting SE. Do you get a response?

If you want to use SecureNAT, then please enable the DHCP functionality. Further for now disable/Delete any local bridge, L3 Switch etc..

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Sun Jan 29, 2017 4:37 pm

moatazelmasry wrote:
> I suspect there is a problem with your SE configuration rather than network
> configuration.
>
SE config is as sample as a bald :)
> Out of fun, can you run netcat on the Ubuntu machine hosting SE. Do you get
> a response?
>
Yes, I can connect from Host to the same Host with netcat:
nc -zv -u 192.68.0.19 500
Connection to 192.68.0.19 500 port [udp/isakmp] succeeded!

> If you want to use SecureNAT, then please enable the DHCP functionality.
This is not good option I thing because of DHCP server at the router within the network. That can ruin the entitre net.
> Further for now disable/Delete any local bridge, L3 Switch etc..
The SE config at the Host is very simple:
One Virtual Host + One LocalBridge connecting phisical network adapter with the Virtual Host + One User inside the Virtual Host + Enabled IPsec/L2TP + Empty Access List + Zero Cascade Connections + Disabled VirtualNAT/SecureNAT + None of L3 Virtual Switch + Disabled Azure.... That should works out of the box....

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Mon Jan 30, 2017 8:11 am

I've checked the situation with IPv6 Only:
1. Remote Network With ES Server at Ubuntu
2. Local Network with ES Server at Ubuntu
3. Layer 2 Tunnel with complete filtering of IPv4 traffic and enabling tranferring of IPv6 Route Advertising.

My local network gets real IPv6 adresses from Remote Router via Remote ES at Remote Ubuntu. And I can access IPv6 network. But both Ubuntu can't communicate each other directly via IPv6. Remote Ubuntu can reach IPv6 network. Local Ubuntu can't reach IPv6 network but it has been assigned a real IPv6 address from Remote router via its RA. I can reach remote Ubuntu via IPv6 from outside world but can't get to Local Ubuntu from outside world.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by moatazelmasry » Wed Feb 01, 2017 2:09 am

tbh I wouldn't trust ipv6 on SE much. As far as I know not everything related to ipv6 is implemented yet, the problem is I don't know which bits are missing. So let us stick to ipv4

>> If you want to use SecureNAT, then please enable the DHCP functionality.
> This is not good option I thing because of DHCP server at the router within the network. That can ruin the entitre net.

Could you please elaborate? Why do you think enabling the virtual DHCP will ruin your network? Also it is possible to enable SecureNAT WITHOUT enabling DHCP functionality

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Wed Feb 01, 2017 11:05 am

moatazelmasry wrote:
> tbh I wouldn't trust ipv6 on SE much. As far as I know not everything related to ipv6
> is implemented yet, the problem is I don't know which bits are missing. So let us
> stick to ipv4
I've already did an experiment (actually that is the final goal of the entire project). I've connected two Ubuntu in different networks with SE. I filter all IPv4 traffic using Virtual Hub functionality. And I got functional IPv6 connection to outer world a the second network. The remote Router with its DHCP assigned IPv6 real addresses to computers in my local network and I coud work with IPv6 outer world.
But, a problem happened: in my local network all android devices couldn't get out to outer IPv4 Internet. They could work with local resources but if I try to open a web-site somewhere.... Nothing happen. I don't know why that happend....
In the same time all Win10 computers worked well with both networks.
And in the same time both Ubuntu couldn't see each other :) Using IPv6 of cource...
>
> >> If you want to use SecureNAT, then please enable the DHCP functionality.
> > This is not good option I thing because of DHCP server at the router within the
> network. That can ruin the entitre net.
>
> Could you please elaborate? Why do you think enabling the virtual DHCP will ruin your
> network? Also it is possible to enable SecureNAT WITHOUT enabling DHCP functionality
Whe I connect to a newtwork and there is already a DHCP that works well then I shouldn't introduce my own DHCP to the same network. Using SecureNAT my device conencts to remote network and receives IP-address from Remote DHCP. If two DHCP will assing IP-addresses to the devices - that will be a problem I think.

PS. Anyway SecureNAT didn't solve the problem...

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by moatazelmasry » Wed Feb 01, 2017 1:04 pm

Just to answer the second part:
The virtual DHCP inside SE, is not a separate program/process and won't compete/clash with an external DHCP server, it only assigns IPs to VPN clients. Ideally you configure it with a different subnet.

So about your local bridge:
- It connects between the correct virtual HUB (in case you have multiple hubs) and your eth0
- Its state is "connected" and is showing no errors

Maybe you can try to push the static routes to other network resources. Do this inside SE virtual NAT function and see if this work:
192.168.0.19 255.255.255.255 192.168.0.1

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Wed Feb 01, 2017 2:05 pm

moatazelmasry wrote:
> Just to answer the second part:
> The virtual DHCP inside SE, is not a separate program/process and won't
> compete/clash with an external DHCP server, it only assigns IPs to VPN
> clients. Ideally you configure it with a different subnet.
>
> So about your local bridge:
> - It connects between the correct virtual HUB (in case you have multiple
> hubs) and your eth0
Yes
> - Its state is "connected" and is showing no errors
Yes
>
Checked with VirtualNAT - result is the same.
> Maybe you can try to push the static routes to other network resources. Do
> this inside SE virtual NAT function and see if this work:
> 192.168.0.19 255.255.255.255 192.168.0.1
Also didn't help :(

PS. Install IPsecbetween ZyXel and Ubuntu for IPv4... It works well. So I've ordered on Raspberry Pi in order to try to install there Windows IoT and try to check may be it will works better with windows that with Linux...

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by thisjun » Wed Feb 15, 2017 8:08 am

There is limitation when localbridge is used on Linux.
Please refer this.
http://www.softether.org/4-docs/1-manua ... r_Mac_OS_X

kvv213
Posts: 16
Joined: Sun Jan 22, 2017 12:30 pm

Re: IPsec from Android can't reach SE Host computer (Ubuntu)

Post by kvv213 » Wed Feb 15, 2017 8:10 am

thisjun wrote:
> There is limitation when localbridge is used on Linux.
> Please refer this.
>
> http://www.softether.org/4-docs/1-manua ... r_Mac_OS_X

Yes, that is true!

Post Reply