Zaloguj się

Jog Jajcusia

xmpp:jajcus@jajcus.net

Mój jest ten kawałek Internetu…

…złe emocje i brudne buty proszę więc zostawić przed drzwiami.

Gotowanie dla geeków

Od dziecka lubiłem eksperymentować w kuchni. Mając chyba niespełna dziesięć lat sam smażyłem faworki. Na palcu mam wciąż bliznę po moich „karmelkach”. Jednak nigdy nie byłem zapalonym kucharzem, komputery ciekawsze, a ja lubię jak obiad to mi podają gotowy ;) Tak więc, większość życia cieszyłem się wygodami obiadków od mamusi albo żonki ;) Czasem, jednak jeszcze do kuchni zaglądam…

Mój repertuar ostatnich dwóch lat to muffinki i domowy chlebek. Mało urozmaicony, ale za to mogę te konkretne umiejętności doskonalić. Ostatni chlebek już naprawdę był bliski doskonałości, a piernikowe muffinki długo nie poleżały… ale ja nie o tym miałem…

Ktoś najwyraźniej chciałby, żebym do tej kuchni częściej zaglądał, albo repertuar poszerzył, bo od mikołaja (6 grudnia) dostałem książkę, prawie, że kucharską:

Gotowanie dla geeków

Przepisów jest tam niewiele, za to dużo informacji o tym co się właściwie w tym garnku lub na patelni dzieje. Oraz co ciekawego można w kuchni zrobić… czy to standardowymi środkami, czy np. przy użyciu ciekłego azotu.

Pierwszy rozdział trochę męczył – nie wiadomo po co autor pięć razy tłumaczy jak to można kucharzy podzielić ze względu na ich motywację w kuchni itp. W drugim już lepiej, a potem coraz lepiej. Widać że to pisane przez Amerykanina dla mieszkańców USA (ileś przepisów wymagających kuchenki mikrofalowej, podejście do bezpieczeństwa żywności takie, że naszego kiszonego ogórka czy żurku to nawet kijem nie dotknąć), ale na to można wziąć poprawkę. Ważne że jest kupa konkretów, których w innej książce kucharskiej się nie znajdzie. I nagle jest jasne, czemu jedno mięso trzeba smażyć bardzo krótko, a inne długo dusić i czemu tak łatwo kurczak robi się „suchy”. No i który składnik potrawy właściwie do czego jest potrzebny.

Myślę, że mogę „Gotowanie dla geeków” polecić innym geekom zaglądającym czasem do kuchni, nawet jeśli nie jest to dzieło wybitne. A sam się zastanawiam, czy na święta nie zrobić sobie „confitu z kaczki” według przepisu z tej książki (jakkolwiek dziwny mi się ten przepis nie wydaje)…

3 komentarze do wpisu „Gotowanie dla geeków”


Poczta aż miło

Na samym początku ulicy Andersa w Gliwicach (skrzyżowanie z Daszyńskiego i Kościuszki) jest taki mały lokalik, w którym były już: kwiaciarnia, sklep z artykułami biurowymi i drogeria. Żadne długo tam nie przetrwało i ostatnio było widać, że ktoś nowy będzie się tam wprowadzał.

Dzisiaj idąc rano do pracy zauważyłem, że nad drzwiami pojawiła się niebieska flaga Poczty Polskiej, a obok szyld „Antyki”. Poczta? Fajnie, przy da się po drodze z biura… ale gdzie tam jeszcze antyki zmieścili? Na drzwiach tabliczka informacyjna, że to rzeczywiście agencja Poczty Polskiej, a w środku było jakieś antyki widać… postanowiłem obadać to później.

Akurat znalazł się i pretekst, żeby jakiś list wysłać, to wychodząc z biura po drugie śniadanko, zajrzałem do tego sklepiku. Środek częściowo wytapetowany starymi gazetami. Obok drzwi stoi stara komoda z jakimiś duperelami (stare żelazko, krucyfiks, itp.) w rogu, pod oknem stary okrągły stolik i dwa krzesła/fotele też nie z naszych czasów. Po drugiej stronie duże, stare, solidne biurku, a za nim starszy wąsaty, łysawy pan w okularach i owinięty szalikiem. Na biurku laptop, górka listów, segregator ze znaczkami i tak dalej. Przede mną dwie osoby w kolejce, przy stoliku starsza pani nalepia znaczki na list.

Szybko przyszła moja kolej, chociaż pan jeszcze się trochę gubił w tych znaczkach itp. Narzekał też na „system, który jeszcze nie całkiem działa” i „tych informatyków, wie pan”… Jak na pierwszy dzień wszystko i tak działało nad wyraz sprawnie. No i ten klimat – fajnie jest. Mam nadzieję, że ta poczta-antykwariat przetrwa tu dużo dłużej niż poprzedni najemcy.

Otwarte do 17-tej, w przeciwieństwie do innej poczty, którą mam prawie po drodze, więc będę mógł swoje fakturki w drodze z pracy do domu wysyłać.

W ogóle ostatnio jestem zadowolony z Poczty… święta tuż-tuż, a przesyłki z dnia na dzień dochodzą. Gdy ostatnio musiałem szybko coś wysłać (nie mając nawet w co zapakować) bardzo miła pani na poczcie okazała się bardzo pomocna (przechowała paczkę zanim skoczyłem do papierniczego po materiały pakunkowe, pożyczyła nożyczki, nie proszona) – byłem pod wrażeniem, bo ludzi pełno, ona sama i z załatwiała wszystko bardzo sprawnie (chociaż swoje w kolejce odczekałem).

5 komentarzy do wpisu „Poczta aż miło”


Jak zabezpieczyć VPN L2TP/IPsec na Androidzie

Pisałem, że namęczyłem się, żeby odpalić L2TP/IPsec między PLD i Androidem.

Napisałem też, że taki tunel nie zupełnie jest bezpieczny

I co? Zrezygnować z tego IPsec i VPN w ogóle? Czy może kombinować z innym rozwiązaniem? A może jednak załatać tego IPSec?

Wybrałem trzecią opcję. Jeśli chodzi o sprawdzanie certyfikatu, to obejście problemu już opisałem – trzeba zrobić własne CA, które wystawi jeden certyfikat, dla serwera.

Drugi problem (10 sekund plain tekstu) nie da się obejść po stronie serwera, ale da się coś zrobić na telefonie. Na zrootowanym telefonie na pewno.

Okazało się, że na kernel w telefonie posiada pełnosprawny podsystem netfilter i za pomocą iptables można zablokować nieszyfrowany ruch. Używam już Droidwalla, więc wystarczyło dołożyć mu kilka regułek.

No to, po kolei:

Stworzenie prostego CA:

cat >ca.cnf <<EOF
[ req ]
default_bits        = 2048
default_keyfile     = ca-key.pem
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
string_mask         = nombstr
attributes          = req_attributes
prompt              = no

[ req_attributes ]

[ req_distinguished_name ]
commonName = VPN CA

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
EOF
openssl req -new -x509 -config ca.cnf -batch -nodes -days 3650 -out ca-cert.pem

Za pomocą tego CA tworzę certyfikat dla serwera (sensowne subjectName i subjectAltName na wypadek jakbym czymś normalnym też chciał się łączyć, bo Android ma to w nosie):

cat >vpn.cnf <<EOF
[ req ]
default_bits        = 2048
default_keyfile     = vpn-key.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
prompt              = no

[ req_distinguished_name ]
commonName                  = vpn.example.org

[ req_attributes ]
subjectAltName=IP:10.20.30.40;DNS:vpn.example.org

[ cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
EOF
openssl req -new -batch -nodes -config vpn.cnf -out vpn-req.pem
openssl x509 -req -in vpn-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial $RANDOM -out vpn-cert.pem

vpn-key.pem i vpn-cert.pem wrzucam do konfiguracji Racoona. ca-cert.pem trzeba zainstalować na telefonie – ja wrzuciłem na swój serwer WWW, pod nazwą ca-cert.crt i załadowałem przeglądarką z telefonu. Potem trzeba wybrać to zaimportowane CA w konfiguracji łącza VPN. Należy pamiętać, że nie wolno tego samego CA używać do wystawiania certyfikatów klientów, ani najlepiej żadnych innych.

Teraz blokowanie plaintekstu… Wchodzę do DroidWall, tam z menu wybieram więcej/Set custom script i wklejam następujące skrypty:

# allow Android only to connect to L2TP over ipsec
$IPTABLES -A "droidwall" -m udp -p 17 --dport 1701 -m policy --pol ipsec --dir out -j ACCEPT
$IPTABLES -A "droidwall" -m udp -p 17 --dport 1701 -j DROP

# prevent injection of unauthenticated packets
$IPTABLES -F INPUT
$IPTABLES -A INPUT -m udp -p 17 --sport 1701 -m policy --pol ipsec --dir in -j ACCEPT
$IPTABLES -A INPUT -m udp -p 17 --sport 1701 -j DROP

oraz (shutdown script):

# clean the rules added to INPUT
$IPTABLES -F INPUT

I to by było na tyle.

Dodaj komentarz do wpisu „Jak zabezpieczyć VPN L2TP/IPsec na Androidzie”


Android implementation of VPN L2TP/IPsec vulnerable to MITM attacks

This is an English version of my previous post

Introdution

Recently I have decided to try using the VPN client functionality of my Samsung Galaxy S Plus (I9001) phone. Of the four available options I have chosen the one which is supposed to be the most secure: 'L2TP/IPsec CRT VPN' (L2TP tunnel secured by IPsec, authenticated with certificates). I had to configure a matching VPN server on may Linux-based router fist. It was not trivial, but I did it – using ipsec-tools (the Racoon daemon) for IPsec and openl2tp for L2TP. It was not trivial, but at some places it seemed too easy. This raised my suspicion.

After a few simple experiments I knew the VPN connection is not secure, because of bugs (or design choices) in the Android implementation. Please remember I am talking only about my phone, running Android 2.3.3 (GINGERBREAD.XXKG3).

When things work as they should

Experiment 0.

The server is configured 'as it should be' – using a certificate with its name – 'vpn.example.org' and accepting only encrypted (IPsec) connections to the L2TP port (1701, UDP). On a phone a VPN is configured as follows:

  • VPN name: SomeNet
  • Set VPN server: vpn.example.org
  • Enable L2TP secret: off
  • Set user certificate: a user certificate for 'user@example.org', issued by the same CA which issued the server certificate.
  • Set CA certificate: Certificate of the trusted third-party CA issuing the server and client certificates.
  • DNS search domains: somenet

At the phone shell terminal I have started a ping to 192.168.0.2 (a machine in the LAN behind the VPN tunnel).

Ping answers appear a moment after I start the VPN connection from my phone.

The network traffic on the server side looks like this:

# tcpdump -l -v -n -i eth1 port 500 or port 1701 or esp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:43:44.608568 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
12:43:44.663217 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 132)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))))
    (vid: len=20)
12:43:45.382608 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 208)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (ke: key len=128)
    (nonce: n len=16)
12:43:45.407626 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 336)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (ke: key len=128)
    (nonce: n len=16)
    (cr: len=124 type=x509sign)
12:43:55.705144 IP (tos 0x48, ttl 51, id 10624, offset 0, flags [+], proto UDP (17), length 1500)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
12:43:57.256500 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256644 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256713 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256778 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 164)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.415368 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 120)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid adbf66a8: phase 2/others I inf[E]: [encrypted hash]
12:43:58.464303 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 312)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid b9020aee: phase 2/others I oakley-quick[E]: [encrypted hash]
12:43:58.465297 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 176)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid b9020aee: phase 2/others R oakley-quick[E]: [encrypted hash]
12:43:58.517546 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 96)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid b9020aee: phase 2/others I oakley-quick[E]: [encrypted hash]
12:43:59.934124 IP (tos 0x48, ttl 51, id 15669, offset 0, flags [DF], proto ESP (50), length 128)
    188.33.176.187 > 10.20.30.40: ESP(spi=0x02b101a6,seq=0x1), length 108
12:44:00.195342 IP (tos 0x0, ttl 64, id 42855, offset 0, flags [DF], proto ESP (50), length 192)
    10.20.30.40 > 188.33.176.187: ESP(spi=0x0a176818,seq=0x1), length 172
12:44:00.237465 IP (tos 0x48, ttl 51, id 15670, offset 0, flags [DF], proto ESP (50), length 80)
    188.33.176.187 > 10.20.30.40: ESP(spi=0x02b101a6,seq=0x2), length 60
12:44:00.807696 IP (tos 0x0, ttl 64, id 42856, offset 0, flags [DF], proto ESP (50), length 72)
    10.20.30.40 > 188.33.176.187: ESP(spi=0x0a176818,seq=0x2), length 52
12:44:00.857370 IP (tos 0x48, ttl 51, id 15671, offset 0, flags [DF], proto ESP (50), length 96)
[...]

We can see a connection to the IKE port for authentication and key agreement, then everything is encrypted inside the IPsec ESP packets. That is exactly what I would expect.

Android does not check certificate contents

Experiment 1.

The server configuration stays the same. I am only changing the server name in the phone. Now the VPN client is configured to connect to 'badvpn.example.net' instead of 'vpn.example.org'. This is the same machine, the same IP address, just a different name. This name is not included in the server's certificate.

Expected result: phone will not connect, because the other party cannot be authenticated as 'badvpn.example.net'. Alternatively, the phone could display a warning and request confirmation before continuing.

Actual result: phone connects exactly as in the previous experiment. No error, no warning.

Conclusion: Android VPN client does not check the names in the server certificate and does not compare them with the requested server name. Anyone having a certificate from the same CA could impersonate my server, carrying out a man-in-the-middle attack. I cannot be sure I am connecting to the server requested.

To mitigate the problem, the VPN server administrator may use own, dedicated CA to issue the server certificate instead of relying on third party CA or using one CA to issue certificates for different entities. But this contraticts a bit the idea of certificate-authority-based PKI.

Experiment 2.

Phone restored to initial configuration (as in experiment 0.), but server certificate is replaced with a user cert. Not only the name in the certificate does not match server name, but other properties (e.g. key usage) is different.

Result: the same as in Experiment 1. Certificate contents seems ignored.

Conclusion: to mitigate the problem VPN administrator must use different CA to issue server certificates and a to issue client certificates.

Experiment 3.

Does Android validate server certificate at all (using the provided CA certificate)? Phone configured as in experiment 0, again, but the server certificate is replaced with a new, self-signed certificate, which cannot be validated by the CA specified on the phone.

Good news: the phone won't connect.

Though, when we look at the IP traffic entering the server it becomes interesting:

13:20:51.287718 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:20:51.288533 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 132)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))))
    (vid: len=20)
13:20:52.125328 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 208)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (ke: key len=128)
    (nonce: n len=16)
13:20:52.147937 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 336)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (ke: key len=128)
    (nonce: n len=16)
    (cr: len=124 type=x509sign)
13:21:02.502646 IP (tos 0x48, ttl 51, id 50848, offset 0, flags [+], proto UDP (17), length 1500)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
13:21:05.307743 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
13:21:05.307894 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
13:21:05.393772 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 104)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid ca46c9c0: phase 2/others I inf[E]: [encrypted hash]
13:21:12.456929 IP (tos 0x48, ttl 51, id 50849, offset 0, flags [+], proto UDP (17), length 1500)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
13:21:12.457346 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 856)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id]
13:21:12.567417 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 104)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 83b1e02d: phase 2/others I inf[E]: [encrypted hash]
13:21:22.627610 IP (tos 0x48, ttl 51, id 41737, offset 0, flags [DF], proto UDP (17), length 97)
    31.174.234.6.57180 > 10.20.30.40.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(43840) *RECV_WIN_SIZE(1)
13:21:24.630141 IP (tos 0x48, ttl 51, id 41738, offset 0, flags [DF], proto UDP (17), length 97)
    31.174.234.6.57180 > 10.20.30.40.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(43840) *RECV_WIN_SIZE(1)

We can see IKE negotiation failing (as expected), but after that the phone continues with sending L2TP requests… in plain text. Connection fails, because server ignores insecure L2TP requests.

This leads us to the second problem…

When IPsec does not work, Android connects in plain text

Experiment 4.

I am disabling IPsec on the server. I am stopping the Racoon daemon, removing the 'require IPsec for L2TP' rule from the firewall and disabling the 'ipsec' plugin of openl2tp. Phone stays configured as in experiment 0. (still 'L2TP/IPset' with certificates).

Expected result: the phone won't connect, as the IPsec connection cannot be established.

Actual result: phone connects, without encryption, but disconnects soon. During the short time it is connected, the connection is functional (proved by the 'pings and pongs' flowing):

# tcpdump -l -s0 -v -v -n -i eth1 port 500 or port 1701 or esp 
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:41:23.517220 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:33.671001 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:43.693458 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:53.677525 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:55.151280 IP (tos 0x48, ttl 51, id 33891, offset 0, flags [DF], proto UDP (17), length 97)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(62390) *RECV_WIN_SIZE(1)
13:41:55.151975 IP (tos 0x0, ttl 64, id 36766, offset 0, flags [DF], proto UDP (17), length 162)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) FIRM_VER(264) *HOST_NAME(vpn) VENDOR_NAME(Katalix Systems Ltd. Linux-2.6.37.6-2 (i686)) *ASSND_TUN_ID(62648) *RECV_WIN_SIZE(10)
13:41:55.430864 IP (tos 0x48, ttl 51, id 33892, offset 0, flags [DF], proto UDP (17), length 48)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=1,Nr=1 *MSGTYPE(SCCCN)
13:41:55.652497 IP (tos 0x0, ttl 64, id 36767, offset 0, flags [DF], proto UDP (17), length 40)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=1,Nr=2 ZLB
13:41:55.939596 IP (tos 0x48, ttl 51, id 33893, offset 0, flags [DF], proto UDP (17), length 66)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=2,Nr=1 *MSGTYPE(ICRQ) *ASSND_SESS_ID(24993) *CALL_SER_NUM(2539501115)
13:41:55.939936 IP (tos 0x0, ttl 64, id 36768, offset 0, flags [DF], proto UDP (17), length 56)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=1,Nr=3 *MSGTYPE(ICRP) *ASSND_SESS_ID(30984)
13:41:56.256430 IP (tos 0x48, ttl 51, id 33894, offset 0, flags [DF], proto UDP (17), length 68)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/30984)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(100000000) *FRAMING_TYPE(AS)
13:41:56.270628 IP (tos 0x0, ttl 64, id 15078, offset 0, flags [none], proto UDP (17), length 58)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Request (0x01), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0101 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:56.652406 IP (tos 0x0, ttl 64, id 36769, offset 0, flags [DF], proto UDP (17), length 40)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=2,Nr=4 ZLB
13:41:57.228134 IP (tos 0x48, ttl 51, id 33895, offset 0, flags [DF], proto UDP (17), length 62)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Conf-Request (0x01), id 1, length 26
    encoded length 24 (=Option(s) length 20)
    0x0000:  c021 0101 0018
      MRU Option (0x01), length 4: 1400
        0x0000:  0578
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Magic-Num Option (0x05), length 6: 0x463dc4fb
        0x0000:  463d c4fb
      PFC Option (0x07), length 2: 
      ACFC Option (0x08), length 2: }
13:41:57.228434 IP (tos 0x0, ttl 64, id 15079, offset 0, flags [none], proto UDP (17), length 62)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Ack (0x02), id 1, length 26
    encoded length 24 (=Option(s) length 20)
    0x0000:  c021 0201 0018
      MRU Option (0x01), length 4: 1400
        0x0000:  0578
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Magic-Num Option (0x05), length 6: 0x463dc4fb
        0x0000:  463d c4fb
      PFC Option (0x07), length 2: 
      ACFC Option (0x08), length 2: }
13:41:59.273354 IP (tos 0x0, ttl 64, id 15080, offset 0, flags [none], proto UDP (17), length 58)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Request (0x01), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0101 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:59.562111 IP (tos 0x48, ttl 51, id 33896, offset 0, flags [DF], proto UDP (17), length 58)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Conf-Ack (0x02), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0201 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:59.562491 IP (tos 0x0, ttl 64, id 15081, offset 0, flags [none], proto UDP (17), length 46)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Echo-Request (0x09), id 0, length 10
    encoded length 8 (=Option(s) length 4)
    0x0000:  c021 0900 0008
      Magic-Num 0xfd374547}
13:41:59.562628 IP (tos 0x0, ttl 64, id 36770, offset 0, flags [DF], proto UDP (17), length 64)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=2,Nr=4 *MSGTYPE(SLI) *ACCM(send=00000000 recv=00000000 )
13:41:59.625466 IP (tos 0x48, ttl 51, id 33897, offset 0, flags [DF], proto UDP (17), length 56)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {PAP, Auth-Req (0x01), id 1, Peer username, Name password}
13:41:59.625794 IP (tos 0x0, ttl 64, id 15082, offset 0, flags [none], proto UDP (17), length 51)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {PAP, Auth-ACK (0x02), id 1, Msg Login ok}
13:41:59.629723 IP (tos 0x0, ttl 64, id 15083, offset 0, flags [none], proto UDP (17), length 48)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Request (0x01), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0101 000a
      IP-Addr Option (0x03), length 6: 192.168.0.1
        0x0000:  0afd 00fe}
13:42:00.035296 IP (tos 0x48, ttl 51, id 33898, offset 0, flags [DF], proto UDP (17), length 46)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Echo-Reply (0x0a), id 0, length 10
    encoded length 8 (=Option(s) length 4)
    0x0000:  c021 0a00 0008
      Magic-Num 0x463dc4fb}
13:42:00.093597 IP (tos 0x48, ttl 51, id 33899, offset 0, flags [DF], proto UDP (17), length 40)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=4,Nr=3 ZLB
13:42:00.156271 IP (tos 0x48, ttl 51, id 33900, offset 0, flags [DF], proto UDP (17), length 45)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 9
    encoded length 7 (=Option(s) length 3)
    0x0000:  80fd 0101 0007
      BSD-Comp Option (0x15), length 3:
        0x0000:  2f}
13:42:00.156540 IP (tos 0x0, ttl 64, id 15084, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 6}
13:42:00.156580 IP (tos 0x0, ttl 64, id 15085, offset 0, flags [none], proto UDP (17), length 45)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Reject (0x04), id 1, length 9
    encoded length 7 (=Option(s) length 3)
    0x0000:  80fd 0401 0007
      BSD-Comp Option (0x15), length 3:
        0x0000:  2f}
13:42:00.315382 IP (tos 0x48, ttl 51, id 33901, offset 0, flags [DF], proto UDP (17), length 66)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 1, length 30
    encoded length 28 (=Option(s) length 24)
    0x0000:  8021 0101 001c
      IP-Comp Option (0x02), length 6: VJ-Comp (0x2d):
        0x0000:  002d 0f01
      IP-Addr Option (0x03), length 6: 0.0.0.0
        0x0000:  0000 0000
      Pri-DNS Option (0x81), length 6: 0.0.0.0
        0x0000:  0000 0000
      Sec-DNS Option (0x83), length 6: 0.0.0.0
        0x0000:  0000 0000}
13:42:00.315702 IP (tos 0x0, ttl 64, id 15086, offset 0, flags [none], proto UDP (17), length 48)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Reject (0x04), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0401 000a
      IP-Comp Option (0x02), length 6: VJ-Comp (0x2d):
        0x0000:  002d 0f01}
13:42:00.433811 IP (tos 0x48, ttl 51, id 33902, offset 0, flags [DF], proto UDP (17), length 48)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Ack (0x02), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0201 000a
      IP-Addr Option (0x03), length 6: 192.168.0.1
        0x0000:  0afd 00fe}
13:42:00.721457 IP (tos 0x48, ttl 51, id 33903, offset 0, flags [DF], proto UDP (17), length 42)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 1, length 6}
13:42:00.822080 IP (tos 0x48, ttl 51, id 33904, offset 0, flags [DF], proto UDP (17), length 42)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 2, length 6}
13:42:00.822317 IP (tos 0x0, ttl 64, id 15087, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 2, length 6}
13:42:00.988689 IP (tos 0x48, ttl 51, id 33905, offset 0, flags [DF], proto UDP (17), length 60)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 2, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0102 0016
      IP-Addr Option (0x03), length 6: 0.0.0.0
        0x0000:  0000 0000
      Pri-DNS Option (0x81), length 6: 0.0.0.0
        0x0000:  0000 0000
      Sec-DNS Option (0x83), length 6: 0.0.0.0
        0x0000:  0000 0000}
13:42:00.988990 IP (tos 0x0, ttl 64, id 15088, offset 0, flags [none], proto UDP (17), length 60)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Nack (0x03), id 2, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0302 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:01.460383 IP (tos 0x48, ttl 51, id 33906, offset 0, flags [DF], proto UDP (17), length 60)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 3, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0103 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:01.460687 IP (tos 0x0, ttl 64, id 15089, offset 0, flags [none], proto UDP (17), length 60)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Ack (0x02), id 3, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0203 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:02.157390 IP (tos 0x48, ttl 51, id 33907, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3720, length 64}
13:42:02.158470 IP (tos 0x0, ttl 64, id 15090, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49734, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3720, length 64}
13:42:02.851139 IP (tos 0x48, ttl 51, id 33908, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 82, length 64}
13:42:02.851307 IP (tos 0x0, ttl 64, id 15091, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18867, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 82, length 64}
13:42:03.184976 IP (tos 0x48, ttl 51, id 33909, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3721, length 64}
13:42:03.185852 IP (tos 0x0, ttl 64, id 15092, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49735, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3721, length 64}
13:42:03.820573 IP (tos 0x48, ttl 51, id 33910, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 83, length 64}
13:42:03.820664 IP (tos 0x0, ttl 64, id 15093, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18868, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 83, length 64}
13:42:04.176450 IP (tos 0x48, ttl 51, id 33911, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3722, length 64}
13:42:04.177522 IP (tos 0x0, ttl 64, id 15094, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49736, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3722, length 64}
13:42:04.848115 IP (tos 0x48, ttl 51, id 33912, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 84, length 64}
13:42:04.848241 IP (tos 0x0, ttl 64, id 15095, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18869, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 84, length 64}
13:42:05.179624 IP (tos 0x48, ttl 51, id 33913, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3723, length 64}
13:42:05.186429 IP (tos 0x0, ttl 64, id 15096, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49737, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3723, length 64}
13:42:05.840298 IP (tos 0x48, ttl 51, id 33914, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 85, length 64}
13:42:05.840420 IP (tos 0x0, ttl 64, id 15097, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18870, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 85, length 64}
13:42:06.158010 IP (tos 0x48, ttl 51, id 33915, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3724, length 64}
13:42:06.159102 IP (tos 0x0, ttl 64, id 15098, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49738, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3724, length 64}
13:42:06.818195 IP (tos 0x48, ttl 51, id 33916, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 86, length 64}
13:42:06.818324 IP (tos 0x0, ttl 64, id 15099, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18871, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 86, length 64}
13:42:07.124790 IP (tos 0x48, ttl 51, id 33917, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3725, length 64}
13:42:07.125777 IP (tos 0x0, ttl 64, id 15100, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49739, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3725, length 64}
13:42:07.816515 IP (tos 0x48, ttl 51, id 33918, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 87, length 64}
13:42:07.816624 IP (tos 0x0, ttl 64, id 15101, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18872, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 87, length 64}
13:42:08.128595 IP (tos 0x48, ttl 51, id 33919, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3726, length 64}
13:42:08.129682 IP (tos 0x0, ttl 64, id 15102, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49740, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3726, length 64}
13:42:08.874084 IP (tos 0x48, ttl 51, id 33920, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 88, length 64}
13:42:08.874267 IP (tos 0x0, ttl 64, id 15103, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18873, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 88, length 64}
13:42:09.203690 IP (tos 0x48, ttl 51, id 33921, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3727, length 64}
13:42:09.204799 IP (tos 0x0, ttl 64, id 15104, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49741, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3727, length 64}
13:42:09.939166 IP (tos 0x48, ttl 51, id 33922, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 89, length 64}
13:42:09.939270 IP (tos 0x0, ttl 64, id 15105, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18874, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 89, length 64}
13:42:10.247071 IP (tos 0x48, ttl 51, id 33923, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3728, length 64}
13:42:10.248183 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49742, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3728, length 64}
13:42:10.871466 IP (tos 0x48, ttl 51, id 33924, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 90, length 64}
13:42:10.871557 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18875, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 90, length 64}
13:42:11.212565 IP (tos 0x48, ttl 51, id 33925, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3729, length 64}
13:42:11.213609 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49743, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3729, length 64}
13:42:11.853452 IP (tos 0x48, ttl 51, id 33926, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 91, length 64}
13:42:11.853581 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18876, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 91, length 64}
13:42:12.247625 IP (tos 0x48, ttl 51, id 33927, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3730, length 64}
13:42:12.248997 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49744, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3730, length 64}
13:42:12.423101 IP (tos 0x48, ttl 51, id 33928, offset 0, flags [DF], proto UDP (17), length 54)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Term-Request (0x05), id 2, length 18
    encoded length 16 (=Option(s) length 12)
    0x0000:  c021 0502 0010}
13:42:12.433080 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Term-Ack (0x06), id 2, length 6}
13:42:13.214877 IP (tos 0x48, ttl 51, id 33929, offset 0, flags [DF], proto UDP (17), length 64)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=4,Nr=3 *MSGTYPE(StopCCN) *ASSND_TUN_ID(62390) *RESULT_CODE(6)
13:42:13.215212 IP (tos 0x0, ttl 64, id 36771, offset 0, flags [DF], proto UDP (17), length 64)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=3,Nr=5 *MSGTYPE(CDN) *RESULT_CODE(3) *ASSND_SESS_ID(30984)

I don't know what is the direct reason of the connection interruption. Maybe if I knew I could stop the phone from disconnecting the insecure tunnel.

Even though the connection does not last, it may be enough to carry out some kind of attack. In fact the traffic dump above shows us information that should be kept hidden:

{PAP, Auth-Req (0x01), id 1, Peer username, Name password}

Yes, it is the username and password, plain text. These are not required for a secure L2TP/IPsec connection, but Android insist on entering this passwords and some VPN set-ups may require that for extra authentication or accounting. The username/password pair may be used for other services in the organisation, so it should never leak out that easy.

Please note that configuring the VPN server to use CHAP instead of PAP doesn't help – at this stage the client is communicating with anybody, so it is the potential MITM attacker who can choose the PPP authentication protocol.

All a man-in-the-middle have to do to eavesdrop or take over the connection is to block the IKE negotiation (e.g. by blocking the port 500).

Conclusions

VPN is about secure connection to a trusted network over insecure, untrusted network. The Android VPN client doesn't provide the trust to the other VPN end and does not necessarily protect the connection from eavesdropping.

Anyone able to get between the phone and the VPN server may be able to:
- Take over the connection, if only he has a certificate issued by the trusted CA.
- Get the PPP username and password and take over the connection, for at least 10 seconds, otherwise.

The fact that Androids sets the default route to the VPN probably does not make things better…

P.S.: I have reported the issues to security@android.com a week ago. The only reply I got was the automatic response that 'they will follow up with me shortly, unless the thing I am reporting is not a security issue'. I treat no actual answer in a week as saying 'we don't treat this as a security issue'.

P.S. 2: The article is anonymized a bit: 'vpn.example.org' (10.20.30.40) – the VPN server, 'badvpn.example.net' – its alternative name, 192.168.0.1 – LAN IP address of the server, 192.168.0.2 another test machine in the LAN (for ping tests), 192.168.1.1 – IP address of the phone in the VPN.

P.S. 3: You may use the Google+ entry for comments, as commenting on the Jogger.pl platforms seems a bit broken.

Dodaj komentarz do wpisu „Android implementation of VPN L2TP/IPsec vulnerable to MITM attacks”


VPN L2TP/IPSec w Androidzie podatny na ataki MITM

W zeszłym odcinku opisywałem jak walczyłem z uruchomieniem VPNu między moim nowym smartfonikiem, a Linuksem. Na końcu wspomniałem, że telefonowi w tej kwestii nie ufam. Tu opiszę czemu.

Zaznaczam, że problem jest potwierdzony tylko dla Androida 2.3.3 na Samsung Galaxy S+ (GINGERBREAD.XXKG3), bo tylko na tym przeprowadzałem swoje eksperymenty.

Gdy działa jak trzeba

Eksperyment 0.

Serwer skonfigurowany prawidłowo – po IKE przestawia się swoją nazwą ('vpn.example.org') i certyfikatem na tę samą nazwę, połączenia na port 1701 (L2TP) umożliwione tylko prze IPSec. Telefon skonfigurowany adekwatnie do konfiguracji serwera:

  • Nazwa sieci: SomeNet
  • Ustaw server VPN: vpn.example.org
  • Włącz hasło L2TP: wyłączone
  • Ustaw certyfikat użytkownika: certyfikat dla 'user@example.org', wystawiony przez to samo CA, co certyfikat serwera.
  • Ustaw certyfikat urzędu certyfikacji: certyfikat CA, które wystawiło certyfikat serwera i klienta
  • Domeny wyszukiwania: somenet

Na konsoli telefonu ping do 192.168.0.2 (w sieci za VPN). Pojawiają się odpowiedzi na pinga, gdy łączę telefonem się do tak skonfigurowanego VPN.

Ruch w sieci po stronie serwera wygląda tak:

# tcpdump -l -v -n -i eth1 port 500 or port 1701 or esp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:43:44.608568 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
12:43:44.663217 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 132)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))))
    (vid: len=20)
12:43:45.382608 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 208)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (ke: key len=128)
    (nonce: n len=16)
12:43:45.407626 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 336)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (ke: key len=128)
    (nonce: n len=16)
    (cr: len=124 type=x509sign)
12:43:55.705144 IP (tos 0x48, ttl 51, id 10624, offset 0, flags [+], proto UDP (17), length 1500)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
12:43:57.256500 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256644 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256713 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.256778 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 164)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
12:43:57.415368 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 120)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid adbf66a8: phase 2/others I inf[E]: [encrypted hash]
12:43:58.464303 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 312)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid b9020aee: phase 2/others I oakley-quick[E]: [encrypted hash]
12:43:58.465297 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 176)
    10.20.30.40.500 > 188.33.176.187.500: isakmp 1.0 msgid b9020aee: phase 2/others R oakley-quick[E]: [encrypted hash]
12:43:58.517546 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 96)
    188.33.176.187.500 > 10.20.30.40.500: isakmp 1.0 msgid b9020aee: phase 2/others I oakley-quick[E]: [encrypted hash]
12:43:59.934124 IP (tos 0x48, ttl 51, id 15669, offset 0, flags [DF], proto ESP (50), length 128)
    188.33.176.187 > 10.20.30.40: ESP(spi=0x02b101a6,seq=0x1), length 108
12:44:00.195342 IP (tos 0x0, ttl 64, id 42855, offset 0, flags [DF], proto ESP (50), length 192)
    10.20.30.40 > 188.33.176.187: ESP(spi=0x0a176818,seq=0x1), length 172
12:44:00.237465 IP (tos 0x48, ttl 51, id 15670, offset 0, flags [DF], proto ESP (50), length 80)
    188.33.176.187 > 10.20.30.40: ESP(spi=0x02b101a6,seq=0x2), length 60
12:44:00.807696 IP (tos 0x0, ttl 64, id 42856, offset 0, flags [DF], proto ESP (50), length 72)
    10.20.30.40 > 188.33.176.187: ESP(spi=0x0a176818,seq=0x2), length 52
12:44:00.857370 IP (tos 0x48, ttl 51, id 15671, offset 0, flags [DF], proto ESP (50), length 96)
[...]

Widać połączenie z portem IKE w celu uwierzytelnienia i uzgodnienia kluczy szyfrujących, reszta połączenia jest szyfrowana, aż do rozłączenia VPN. Czyli wszystko działa jak powinno, a transmisję można uznać za bezpieczną…

Android nie sprawdza zawartości certyfikatu serwera

Eksperyment 1.

Serwer skonfigurowany jak wyżej. W telefonie zmieniam tylko nazwę serwera z 'vpn.example.org' na 'badvpn.example.net'. To jest inna nazwa tej samej maszyny, ten sam adres IP.

Oczekiwany efekt: telefon się nie połączy, bo żądam połączenia z 'badvpn.example.net', a zgłasza sie 'vpn.example.org', ewentualnie powinno się pojawić ostrzeżenie i pytanie czy kontynuować.

Faktyczny efekt: telefon łączy się jak gdyby nigdy nic.

Wniosek: Android nie sprawdza nazw w certyfikacie przedstawionym przez serwer VPN. Ktoś mając certyfikat z tego samego CA, który wystawił certyfikat mojemu serwerowi, ale na inną nazwę, może się podszyć pod mój serwer. Więc nie mam pewności, że się łączę tam gdzie chcę.

Obejście problemu: zamiast korzystać zaufanego urzędu certyfikacji, z którego każdy może dostać
certyfikat, mogę utworzyć własne CA, które wystawi certyfikat tylko mojemu serwerowi (co trochę mija się z ideą infrastruktury klucza publicznego opartej o zaufane urzędy certyfikacji). Oczywiście, gdy to ja zarządzam serwerem, a użytkownik telefonu zwykle tylko korzysta z VPNa zarządzanego przez kogoś innego.

Eksperyment 2.

Telefon skonfigurowany jak w eksperymencie 0, ale serwerowi podmieniłem certyfikat na certyfikat klienta (a więc nie tylko nazwa się nie zgadza, ale i 'extended key usage' podejrzane). Efekt jak powyżej, telefon się łączy, jakby wszystko było ok.,

Eksperyment 3.

Czy Android w ogóle sprawdza certyfikat? Próba z certyfikatem self-signed na serwerze, klient skonfigurowany tak jak w eksperymencie 0. Połączenie nie powinno się udać, bo certyfikat nie jest wystawiony przez CA podane w konfiguracji telefonu.

Niby efekt oczekiwany, telefon poddaje się z komunikatem „Nie można nawiązać połączenia”, ale jak spojrzeć na wysyłane przez telefon pakiety to robi się ciekawie:

13:20:51.287718 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:20:51.288533 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 132)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))))
    (vid: len=20)
13:20:52.125328 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 208)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident:
    (ke: key len=128)
    (nonce: n len=16)
13:20:52.147937 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 336)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident:
    (ke: key len=128)
    (nonce: n len=16)
    (cr: len=124 type=x509sign)
13:21:02.502646 IP (tos 0x48, ttl 51, id 50848, offset 0, flags [+], proto UDP (17), length 1500)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
13:21:05.307743 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 576)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
13:21:05.307894 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted #132]
13:21:05.393772 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 104)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid ca46c9c0: phase 2/others I inf[E]: [encrypted hash]
13:21:12.456929 IP (tos 0x48, ttl 51, id 50849, offset 0, flags [+], proto UDP (17), length 1500)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1708/ip 1472)
13:21:12.457346 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 856)
    10.20.30.40.500 > 31.174.234.6.500: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id]
13:21:12.567417 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 104)
    31.174.234.6.500 > 10.20.30.40.500: isakmp 1.0 msgid 83b1e02d: phase 2/others I inf[E]: [encrypted hash]
13:21:22.627610 IP (tos 0x48, ttl 51, id 41737, offset 0, flags [DF], proto UDP (17), length 97)
    31.174.234.6.57180 > 10.20.30.40.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(43840) *RECV_WIN_SIZE(1)
13:21:24.630141 IP (tos 0x48, ttl 51, id 41738, offset 0, flags [DF], proto UDP (17), length 97)
    31.174.234.6.57180 > 10.20.30.40.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(43840) *RECV_WIN_SIZE(1)

Po nieudanym uwierzytelnianiu przez IKE telefon dalej kontynuuje z L2TP… plain tekstem… Połączenie się nie udaje, bo serwerowi, w przeciwieństwie do telefonu, nie jest wszystko jedno czy połączenie L2TP jest szyfrowane, czy nie (ignoruje nieszyfrowane połączenia na port 1701).

Tak dochodzimy do problemu drugiego…

Gdy IPSec nie zadziała, Android łączy się bez szyfrowania

Eksperyment 4.

Na serwerze wyłączam Racoona (demona umożliwiającego „zestawianie połączeń” IPSec), z firewalla usuwam
regułkę uniemożliwiającą nieszyfrowane połączenia L2TP i wyłączam plugin 'ipsec' w openl2tp. Telefon skonfigurowany jak w eksperymencie 0 (wciąż 'L2TP/IPsec' z podanymi certyfikatami).

Oczekiwany efekt: telefon się nie połączy z powodu niemożliwości połączenia IPSec

Rzeczywisty efekt: telefon się łączy, bez szyfrowania, lecz po chwili się rozłącza. Przez tę chwilę połączenie jest w pełni funkcjonalne, co potwierdzają przechodzące przez nie „pingi”.

# tcpdump -l -s0 -v -v -n -i eth1 port 500 or port 1701 or esp 
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:41:23.517220 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:33.671001 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:43.693458 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:53.677525 IP (tos 0x48, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    31.175.7.251.500 > 10.20.30.40.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b058afdd0f5cf6be->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=6
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=rsa sig)(type=hash value=md5)(type=group desc value=modp1024))))
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=20)
13:41:55.151280 IP (tos 0x48, ttl 51, id 33891, offset 0, flags [DF], proto UDP (17), length 97)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(62390) *RECV_WIN_SIZE(1)
13:41:55.151975 IP (tos 0x0, ttl 64, id 36766, offset 0, flags [DF], proto UDP (17), length 162)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) FIRM_VER(264) *HOST_NAME(vpn) VENDOR_NAME(Katalix Systems Ltd. Linux-2.6.37.6-2 (i686)) *ASSND_TUN_ID(62648) *RECV_WIN_SIZE(10)
13:41:55.430864 IP (tos 0x48, ttl 51, id 33892, offset 0, flags [DF], proto UDP (17), length 48)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=1,Nr=1 *MSGTYPE(SCCCN)
13:41:55.652497 IP (tos 0x0, ttl 64, id 36767, offset 0, flags [DF], proto UDP (17), length 40)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=1,Nr=2 ZLB
13:41:55.939596 IP (tos 0x48, ttl 51, id 33893, offset 0, flags [DF], proto UDP (17), length 66)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=2,Nr=1 *MSGTYPE(ICRQ) *ASSND_SESS_ID(24993) *CALL_SER_NUM(2539501115)
13:41:55.939936 IP (tos 0x0, ttl 64, id 36768, offset 0, flags [DF], proto UDP (17), length 56)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=1,Nr=3 *MSGTYPE(ICRP) *ASSND_SESS_ID(30984)
13:41:56.256430 IP (tos 0x48, ttl 51, id 33894, offset 0, flags [DF], proto UDP (17), length 68)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/30984)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(100000000) *FRAMING_TYPE(AS)
13:41:56.270628 IP (tos 0x0, ttl 64, id 15078, offset 0, flags [none], proto UDP (17), length 58)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Request (0x01), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0101 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:56.652406 IP (tos 0x0, ttl 64, id 36769, offset 0, flags [DF], proto UDP (17), length 40)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/0)Ns=2,Nr=4 ZLB
13:41:57.228134 IP (tos 0x48, ttl 51, id 33895, offset 0, flags [DF], proto UDP (17), length 62)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Conf-Request (0x01), id 1, length 26
    encoded length 24 (=Option(s) length 20)
    0x0000:  c021 0101 0018
      MRU Option (0x01), length 4: 1400
        0x0000:  0578
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Magic-Num Option (0x05), length 6: 0x463dc4fb
        0x0000:  463d c4fb
      PFC Option (0x07), length 2: 
      ACFC Option (0x08), length 2: }
13:41:57.228434 IP (tos 0x0, ttl 64, id 15079, offset 0, flags [none], proto UDP (17), length 62)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Ack (0x02), id 1, length 26
    encoded length 24 (=Option(s) length 20)
    0x0000:  c021 0201 0018
      MRU Option (0x01), length 4: 1400
        0x0000:  0578
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Magic-Num Option (0x05), length 6: 0x463dc4fb
        0x0000:  463d c4fb
      PFC Option (0x07), length 2: 
      ACFC Option (0x08), length 2: }
13:41:59.273354 IP (tos 0x0, ttl 64, id 15080, offset 0, flags [none], proto UDP (17), length 58)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Conf-Request (0x01), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0101 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:59.562111 IP (tos 0x48, ttl 51, id 33896, offset 0, flags [DF], proto UDP (17), length 58)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Conf-Ack (0x02), id 1, length 22
    encoded length 20 (=Option(s) length 16)
    0x0000:  c021 0201 0014
      ACCM Option (0x02), length 6: 0x00000000
        0x0000:  0000 0000
      Auth-Prot Option (0x03), length 4: PAP
        0x0000:  c023
      Magic-Num Option (0x05), length 6: 0xfd374547
        0x0000:  fd37 4547}
13:41:59.562491 IP (tos 0x0, ttl 64, id 15081, offset 0, flags [none], proto UDP (17), length 46)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Echo-Request (0x09), id 0, length 10
    encoded length 8 (=Option(s) length 4)
    0x0000:  c021 0900 0008
      Magic-Num 0xfd374547}
13:41:59.562628 IP (tos 0x0, ttl 64, id 36770, offset 0, flags [DF], proto UDP (17), length 64)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=2,Nr=4 *MSGTYPE(SLI) *ACCM(send=00000000 recv=00000000 )
13:41:59.625466 IP (tos 0x48, ttl 51, id 33897, offset 0, flags [DF], proto UDP (17), length 56)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {PAP, Auth-Req (0x01), id 1, Peer username, Name password}
13:41:59.625794 IP (tos 0x0, ttl 64, id 15082, offset 0, flags [none], proto UDP (17), length 51)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {PAP, Auth-ACK (0x02), id 1, Msg Login ok}
13:41:59.629723 IP (tos 0x0, ttl 64, id 15083, offset 0, flags [none], proto UDP (17), length 48)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Request (0x01), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0101 000a
      IP-Addr Option (0x03), length 6: 192.168.0.1
        0x0000:  0afd 00fe}
13:42:00.035296 IP (tos 0x48, ttl 51, id 33898, offset 0, flags [DF], proto UDP (17), length 46)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Echo-Reply (0x0a), id 0, length 10
    encoded length 8 (=Option(s) length 4)
    0x0000:  c021 0a00 0008
      Magic-Num 0x463dc4fb}
13:42:00.093597 IP (tos 0x48, ttl 51, id 33899, offset 0, flags [DF], proto UDP (17), length 40)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=4,Nr=3 ZLB
13:42:00.156271 IP (tos 0x48, ttl 51, id 33900, offset 0, flags [DF], proto UDP (17), length 45)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 9
    encoded length 7 (=Option(s) length 3)
    0x0000:  80fd 0101 0007
      BSD-Comp Option (0x15), length 3:
        0x0000:  2f}
13:42:00.156540 IP (tos 0x0, ttl 64, id 15084, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 1, length 6}
13:42:00.156580 IP (tos 0x0, ttl 64, id 15085, offset 0, flags [none], proto UDP (17), length 45)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Reject (0x04), id 1, length 9
    encoded length 7 (=Option(s) length 3)
    0x0000:  80fd 0401 0007
      BSD-Comp Option (0x15), length 3:
        0x0000:  2f}
13:42:00.315382 IP (tos 0x48, ttl 51, id 33901, offset 0, flags [DF], proto UDP (17), length 66)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 1, length 30
    encoded length 28 (=Option(s) length 24)
    0x0000:  8021 0101 001c
      IP-Comp Option (0x02), length 6: VJ-Comp (0x2d):
        0x0000:  002d 0f01
      IP-Addr Option (0x03), length 6: 0.0.0.0
        0x0000:  0000 0000
      Pri-DNS Option (0x81), length 6: 0.0.0.0
        0x0000:  0000 0000
      Sec-DNS Option (0x83), length 6: 0.0.0.0
        0x0000:  0000 0000}
13:42:00.315702 IP (tos 0x0, ttl 64, id 15086, offset 0, flags [none], proto UDP (17), length 48)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Reject (0x04), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0401 000a
      IP-Comp Option (0x02), length 6: VJ-Comp (0x2d):
        0x0000:  002d 0f01}
13:42:00.433811 IP (tos 0x48, ttl 51, id 33902, offset 0, flags [DF], proto UDP (17), length 48)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Ack (0x02), id 1, length 12
    encoded length 10 (=Option(s) length 6)
    0x0000:  8021 0201 000a
      IP-Addr Option (0x03), length 6: 192.168.0.1
        0x0000:  0afd 00fe}
13:42:00.721457 IP (tos 0x48, ttl 51, id 33903, offset 0, flags [DF], proto UDP (17), length 42)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 1, length 6}
13:42:00.822080 IP (tos 0x48, ttl 51, id 33904, offset 0, flags [DF], proto UDP (17), length 42)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {unknown ctrl-proto (0x80fd), Conf-Request (0x01), id 2, length 6}
13:42:00.822317 IP (tos 0x0, ttl 64, id 15087, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {unknown ctrl-proto (0x80fd), Conf-Ack (0x02), id 2, length 6}
13:42:00.988689 IP (tos 0x48, ttl 51, id 33905, offset 0, flags [DF], proto UDP (17), length 60)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 2, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0102 0016
      IP-Addr Option (0x03), length 6: 0.0.0.0
        0x0000:  0000 0000
      Pri-DNS Option (0x81), length 6: 0.0.0.0
        0x0000:  0000 0000
      Sec-DNS Option (0x83), length 6: 0.0.0.0
        0x0000:  0000 0000}
13:42:00.988990 IP (tos 0x0, ttl 64, id 15088, offset 0, flags [none], proto UDP (17), length 60)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Nack (0x03), id 2, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0302 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:01.460383 IP (tos 0x48, ttl 51, id 33906, offset 0, flags [DF], proto UDP (17), length 60)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IPCP, Conf-Request (0x01), id 3, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0103 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:01.460687 IP (tos 0x0, ttl 64, id 15089, offset 0, flags [none], proto UDP (17), length 60)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IPCP, Conf-Ack (0x02), id 3, length 24
    encoded length 22 (=Option(s) length 18)
    0x0000:  8021 0203 0016
      IP-Addr Option (0x03), length 6: 192.168.1.1
        0x0000:  0afb 000a
      Pri-DNS Option (0x81), length 6: 192.168.0.1
        0x0000:  0afd 00fe
      Sec-DNS Option (0x83), length 6: 192.168.0.3
        0x0000:  0afb 00fe}
13:42:02.157390 IP (tos 0x48, ttl 51, id 33907, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3720, length 64}
13:42:02.158470 IP (tos 0x0, ttl 64, id 15090, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49734, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3720, length 64}
13:42:02.851139 IP (tos 0x48, ttl 51, id 33908, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 82, length 64}
13:42:02.851307 IP (tos 0x0, ttl 64, id 15091, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18867, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 82, length 64}
13:42:03.184976 IP (tos 0x48, ttl 51, id 33909, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3721, length 64}
13:42:03.185852 IP (tos 0x0, ttl 64, id 15092, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49735, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3721, length 64}
13:42:03.820573 IP (tos 0x48, ttl 51, id 33910, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 83, length 64}
13:42:03.820664 IP (tos 0x0, ttl 64, id 15093, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18868, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 83, length 64}
13:42:04.176450 IP (tos 0x48, ttl 51, id 33911, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3722, length 64}
13:42:04.177522 IP (tos 0x0, ttl 64, id 15094, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49736, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3722, length 64}
13:42:04.848115 IP (tos 0x48, ttl 51, id 33912, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 84, length 64}
13:42:04.848241 IP (tos 0x0, ttl 64, id 15095, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18869, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 84, length 64}
13:42:05.179624 IP (tos 0x48, ttl 51, id 33913, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3723, length 64}
13:42:05.186429 IP (tos 0x0, ttl 64, id 15096, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49737, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3723, length 64}
13:42:05.840298 IP (tos 0x48, ttl 51, id 33914, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 85, length 64}
13:42:05.840420 IP (tos 0x0, ttl 64, id 15097, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18870, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 85, length 64}
13:42:06.158010 IP (tos 0x48, ttl 51, id 33915, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3724, length 64}
13:42:06.159102 IP (tos 0x0, ttl 64, id 15098, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49738, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3724, length 64}
13:42:06.818195 IP (tos 0x48, ttl 51, id 33916, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 86, length 64}
13:42:06.818324 IP (tos 0x0, ttl 64, id 15099, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18871, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 86, length 64}
13:42:07.124790 IP (tos 0x48, ttl 51, id 33917, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3725, length 64}
13:42:07.125777 IP (tos 0x0, ttl 64, id 15100, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49739, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3725, length 64}
13:42:07.816515 IP (tos 0x48, ttl 51, id 33918, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 87, length 64}
13:42:07.816624 IP (tos 0x0, ttl 64, id 15101, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18872, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 87, length 64}
13:42:08.128595 IP (tos 0x48, ttl 51, id 33919, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3726, length 64}
13:42:08.129682 IP (tos 0x0, ttl 64, id 15102, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49740, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3726, length 64}
13:42:08.874084 IP (tos 0x48, ttl 51, id 33920, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 88, length 64}
13:42:08.874267 IP (tos 0x0, ttl 64, id 15103, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18873, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 88, length 64}
13:42:09.203690 IP (tos 0x48, ttl 51, id 33921, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3727, length 64}
13:42:09.204799 IP (tos 0x0, ttl 64, id 15104, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49741, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3727, length 64}
13:42:09.939166 IP (tos 0x48, ttl 51, id 33922, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 89, length 64}
13:42:09.939270 IP (tos 0x0, ttl 64, id 15105, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18874, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 89, length 64}
13:42:10.247071 IP (tos 0x48, ttl 51, id 33923, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3728, length 64}
13:42:10.248183 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49742, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3728, length 64}
13:42:10.871466 IP (tos 0x48, ttl 51, id 33924, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 90, length 64}
13:42:10.871557 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18875, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 90, length 64}
13:42:11.212565 IP (tos 0x48, ttl 51, id 33925, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3729, length 64}
13:42:11.213609 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49743, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3729, length 64}
13:42:11.853452 IP (tos 0x48, ttl 51, id 33926, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.1: ICMP echo request, id 871, seq 91, length 64}
13:42:11.853581 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 64, id 18876, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > 192.168.1.1: ICMP echo reply, id 871, seq 91, length 64}
13:42:12.247625 IP (tos 0x48, ttl 51, id 33927, offset 0, flags [DF], proto UDP (17), length 122)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.0.2: ICMP echo request, id 22606, seq 3730, length 64}
13:42:12.248997 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [none], proto UDP (17), length 122)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {IP (tos 0x0, ttl 63, id 49744, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.2 > 192.168.1.1: ICMP echo reply, id 22606, seq 3730, length 64}
13:42:12.423101 IP (tos 0x48, ttl 51, id 33928, offset 0, flags [DF], proto UDP (17), length 54)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[](62648/30984) {LCP, Term-Request (0x05), id 2, length 18
    encoded length 16 (=Option(s) length 12)
    0x0000:  c021 0502 0010}
13:42:12.433080 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [none], proto UDP (17), length 42)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[](62390/24993) {LCP, Term-Ack (0x06), id 2, length 6}
13:42:13.214877 IP (tos 0x48, ttl 51, id 33929, offset 0, flags [DF], proto UDP (17), length 64)
    31.175.7.251.55137 > 10.20.30.40.1701: [udp sum ok]  l2tp:[TLS](62648/0)Ns=4,Nr=3 *MSGTYPE(StopCCN) *ASSND_TUN_ID(62390) *RESULT_CODE(6)
13:42:13.215212 IP (tos 0x0, ttl 64, id 36771, offset 0, flags [DF], proto UDP (17), length 64)
    10.20.30.40.1701 > 31.175.7.251.55137: [udp sum ok]  l2tp:[TLS](62390/24993)Ns=3,Nr=5 *MSGTYPE(CDN) *RESULT_CODE(3) *ASSND_SESS_ID(30984)

Nie wiem co bezpośrednio powoduje zerwanie połączenia, może gdybym wiedział, byłbym w stanie zapobiec rozłączeniu. Ale nawet ta chwila nieszyfrowanego połączenia do niezaufanego serwera może być wystarczająca. Wystarczy się przyjrzeć powyższemu logowi, żeby zobaczyć coś ciekawego:

{PAP, Auth-Req (0x01), id 1, Peer username, Name password}

Tak, to jest nazwa użytkownika i hasło, plain tekstem. W przypadku L2TP/IPSec uwierzytelnionych certyfikatami to hasło jest właściwie zbędne (ale Android nie pozwoli się połączyć bez jego podania), lecz niektóre serwery VPN mogą go oczekiwać, dla dodatkowej identyfikacji użytkownika. To hasło może mieć także inne zastosowania w docelowej sieci, a jak widać łatwo jest zdobyć. Mogło by być ukryte np. przez użycie uwierzytelniania CHAP zamiast PAP, ale czemu miałoby być, skoro połączenie idzie przez IPSec? ;)

Wnioski

Łącząc się telefonem z Androidem (przynajmniej takim jak mój) do VPNa opartego na L2TP i IPSec nie mamy pewności ani, że łączymy się z właściwym serwerem (chyba, że wiemy, że „urząd certyfikacji” podany w telefonie wydał certyfikat tylko dla tego jednego serwera), ani nawet, czy nasze połączenie jest szyfrowane (przynajmniej przez pierwsze 10s).

Ktoś kto w jakiś sposób mógłby się wpiąć między nasz telefon a docelowy serwer:

  • Jeśli ma certyfikat (na dowolną nazwę) ze ustawionego urzędu certyfikacji, to może przejąć całe nasze połączenie.
  • Jeśli nie ma takiego certyfikatu, może poznać nasze hasło podane przy połączeniu, a także, przez co najmniej 10 sekund, nasze połączenie.

Sprawę pewnie pogarsza fakt, że Android, po połączeniu z VPN, routuje tam cały ruch do Internetu…

P.S.: Tydzień temu zgłosiłem sprawę na security@android.com. Nie dostałem odpowiedzi, poza automatyczną „jeśli nie zgłaszasz problemu z bezpieczeństwem, nie dostaniesz odpowiedzi”. Zakładam więc, że oni nie uważają tego za problem z bezpieczeństwem.

P.S. 2: Tekst lekko zanonymizowałem: 'vpn.example.org' (10.20.30.40) – serwer VPN, 'badvpn.example.net' – alternatywna nazwa, 192.168.0.1 – IP serwera VPN w sieci lokalnej, 192.168.0.2 adres testowej maszyny w sieci lokalnej (do pingowania), 192.168.1.1 – adres telefonu w VPN (z dostępem do sieci lokalnej)

15 komentarzy do wpisu „VPN L2TP/IPSec w Androidzie podatny na ataki MITM”