Debian squeeze as L2TP/IPSec gateway for Android devices

Question

I'm trying to configure Debian squeeze as L2TP/IPSec VPN for Android devices, but with no great success.

So far I have done following:

1. Successfully configured Debian with openswan implementation of IPSec. I could connect from devices with Android 2.3 but not from devices with Android 4 due to bug in Android 4 (mentioned here: http://code.google.com/p/android/issues/detail?id=23124)

2. After replacing openswan with racoon, I come to the point, where:

   • I can connect from Android 4 with IPSec Xauth PSK (but only from my laptop wind Android ICS and not from real tablet with ICS. When connecting from tablet, my server says that user was authenticated and all seems to be ok, but tablet says "connection unsuccessful" - but this is cheep China devices with sausagemod, so maybe this is ok)
   • I can connect using Cisco VPN Client
   • but I can't connect from any Android using L2TP/IPSec PSK (I prefer this protocol, as this is probably only choice supported on all Android clients, regardless of version)

my config is as follows:

racoon.conf:

path pre_shared_key "/etc/racoon/psk.txt";

log info;
listen
{
        isakmp 172.31.251.122[500];
        isakmp_natt 172.31.251.122[4500];
}

timer
{
        natt_keepalive 10sec;
}

remote anonymous {
        exchange_mode aggressive;
        my_identifier fqdn "mydomain.com.pl";
        doi ipsec_doi;
        generate_policy on;
        situation_identity_only;
        lifetime time 28800 sec;
        passive on;
        initial_contact off;
        nat_traversal on;
        proposal_check obey;
        proposal {
                encryption_algorithm aes;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
        proposal {
                encryption_algorithm aes;
                hash_algorithm md5;
                authentication_method xauth_psk_server;
                dh_group 2;
        }
}

mode_cfg {
        auth_source system;
        network4 100.99.99.1;
        netmask4 255.255.255.0;
        pool_size 254;
        dns4 172.16.0.10;
        wins4 172.16.0.10;
        default_domain "mydomain.com.pl";
        split_network include 172.16.0.0/16;
        split_dns "mydomain.com.pl";
        save_passwd on;
        pfs_group 2;
}

sainfo anonymous {
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

x2ltpd.conf:

[global]                                        ; Global parameters:
port = 1701                                     ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets               ; * Where our challenge secrets are
access control = no                             ; * Refuse connections without IP match
rand source = dev                               ; Source for entropy for random
#debug avp = yes
#debug network = yes
debug state = yes
debug tunnel = yes

[lns default]                                   ; Our fallthrough LNS definition
exclusive = no                                  ; * Only permit one tunnel per host
ip range = 100.99.99.1-100.99.99.254
local ip = 172.16.116.202
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tp
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/xl2tpd-options

One important note: my Debian box is behind NAT, so address 172.16.116.202 is it's LAN address and 172.31.251.122 is it's "public" address.

Any clues or suggestions?

-- edit --- @SmalllClanger:

After turning on all debug options in x2ltpd.conf I receive following log:

Apr 22 12:22:07 l2tp racoon: INFO: respond new phase 1 negotiation: private_ip_of_my_server[500]<=>public_ip_of_adnroid_client[500]
Apr 22 12:22:07 l2tp racoon: INFO: begin Aggressive mode.
Apr 22 12:22:07 l2tp racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: RFC 3947
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: DPD
Apr 22 12:22:07 l2tp racoon: INFO: Selected NAT-T version: RFC 3947
Apr 22 12:22:07 l2tp racoon: INFO: Adding remote and local NAT-D payloads.
Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[500] with algo #1 
Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[500] with algo #1 
Apr 22 12:22:07 l2tp racoon: INFO: NAT-T: ports changed to: public_ip_of_adnroid_client[4500]<->private_ip_of_my_server[4500]
Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[4500] with algo #1 
Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #0 doesn't match
Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[4500] with algo #1 
Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #1 doesn't match
Apr 22 12:22:07 l2tp racoon: INFO: NAT detected: ME PEER
Apr 22 12:22:07 l2tp racoon: INFO: ISAKMP-SA established private_ip_of_my_server[4500]-public_ip_of_adnroid_client[4500] spi:2ea51a231acb960b:e21a79f71e04b7e2
Apr 22 12:22:08 l2tp racoon: INFO: respond new phase 2 negotiation: private_ip_of_my_server[4500]<=>public_ip_of_adnroid_client[4500]
Apr 22 12:22:08 l2tp racoon: INFO: no policy found, try to generate the policy : private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in
Apr 22 12:22:08 l2tp racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Apr 22 12:22:08 l2tp racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport public_ip_of_adnroid_client[4500]->private_ip_of_my_server[4500] spi=35407234(0x21c4582)
Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport private_ip_of_my_server[4500]->public_ip_of_adnroid_client[4500] spi=41649440(0x27b8520)
Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in"
Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"

I already noticed for lines stating:

ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in"  
ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"

which signal obviously wrong SA policy (both server and client are behind NAT, and for now I have no possibility to change it on either side)

So I have made appropriate modifications to /etc/ipsec-tools.conf file as follows:

spdadd public_ip_of_my_server[l2tp] 0.0.0.0/0 udp -P out ipsec
        esp/transport//require;
spdadd 0.0.0.0/0 public_ip_of_my_server[l2tp] udp -P in ipsec
        esp/transport//require;

but didn't helped.

P.S. There is also additional small issue. My configuration require that client specify both PSK user name and PSK key, but PSK user name (IPSec identifier) can be specified only on devices with Android 4. On devices with Android 2.x there is no such option. I have tried with replacing this value with ***** in racoon psk.txt file, but aganin with no success. How could I specify PSK key without forcing clients for using IPSec identifiers?