手机升级到Android 6以后,以前正常使用的L2TP VPN却无法连接了。服务器端日志:
"vpnpsk"[119] 114.249.245.192 #240: no acceptable Proposal in IPsec SA "vpnpsk"[119] 114.249.245.192 #240: sending encrypted notification NO_PROPOSAL_CHOSEN to 114.249.245.192:4500
看起来应该是在加密环节出现了问题。在Libreswan的bugzilla上找到了一段说明:
Android 6.0 appears to be stubborn and only wants to use AES_256-HMAC_SHA2_256 (needing sha2-truncbug=yes) phase2alg=aes_gcm-null,aes256-sha1,aes256-sha2_256 and other variations including aes_gcm-null have no positive effect. The Android 5.1.1 version I am using (Cyanogenmod 12.1) happily runs with SHA1 both with sha2-truncbug=yes or no, so the configuration for now with these two Android versions are phase2alg=aes_gcm-null,aes256-sha1,aes256-sha2_256 sha2-truncbug=yes
尝试对服务器上的/etc/ipsec.conf文件进行修改:
#修改以下两行配置,在行尾加入“aes256-sha2_256”,以此增加对sha2的支持ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256 #新增一行配置 sha2-truncbug=yes
保存配置文件后重启IPSEC服务,Android 6手机连接恢复正常!
服务器环境:Ubuntu 12.04 LTS + Libreswan