IssueTracker

Note that the bug surfaced when I tried our app on android 5

I'm also seeing this problem with our library IOCipher (https://github.com/guardianproject/IOCipher).  It all builds and works fine, until I switch the test suite from targeting android-15 to android-21, then running the tests on a android-19 (4.4.4) ROM.  The NDK build uses r10d, and the IOCipher NDK build targeting android-7.

I found this workaround, which seems to work:

LOCAL_LDFLAGS += -fuse-ld=bfd

please reopen if you still see this with r12.

I've attached a sample setup-l2tp.sh file that can be used to setup a basic L2TP/IPSec PSK VPN for reproducing this bug.

0. Create a virtual machine somewhere for testing.
1. Edit IPSEC_PSK, VPN_USER, VPN_PASSWORD, PRIVATE_IP, PUBLIC_IP at the top of the file.
2. Run 'sudo ./setup-l2tp.sh'.
3. Verify that you can connect to your new L2TP/IPSec VPN from stock Android 5.x, Linux, MacOS, or ChromeOS, using the parameters you specified in step 1. Note that stock Windows will NOT work without registry setting modification to enable NAT traversal.
4. Now, connect to your new instance using a Nexus 6 running Android 6.0.1 and the connection will fail.

Hi,

Thanks for providing requested information, however a bug report from your end will help us to debug further. Below are the steps to generate and send bug report:

Android bug report
After reproducing the issue, press the volume up, volume down, and power buttons simultaneously. This will capture a bug report on your device in the “bug reports” directory. Attach this file to this issue.

Alternate method:
After reproducing the issue, navigate to developer settings, ensure ‘USB debugging’ is enabled, then enable ‘Bug report shortcut’. To take bug report, hold the power button and select the ‘Take bug report’ option.

Thanks...

Hi,

I have noticed the same issue after upgrading from 5.1.1 to 6.0.1 on both my Nexus 7 (flo) and Moto G2 (titan). (I am still able to access it with devices not updated to Marshmallow or not using Android.)
I am trying to connect to a VPN on a TL-ER604W through L2TP/IPsec with PSK.
Could you please increase the priority of this issue as it is vital (for me and I think a few more people as well) to access the company network from abroad I am currently living in to be able to work from a distance?

Thank you.

Hi vikingharcos,

Can you upload the bug report of the issue?

Thanks...

I'll provide a bug report in ~3 weeks when I return to the US. In the meantime I encourage others who have similar issues to provide their bug reports. Apologies for the delay.

As requested, attached is a bug report immediately following two failed connection attempts from a recently wiped Nexus 9 running 6.0.1 with no apps installed.  Confirmed still working on 5.1.

Hi,

Thank you very much for getting back to us with the requested information. We are working on this issue and will provide updates as they are available.

Thanks...

Hi,

Sorry for not including the bugreport before. Not knowing what does it include I didn't want to compromise the company VPN, so I rebooted the mobile and set up a connection to a public VPNGate server, which failed the same way as ours (after about half minute it says the connection is unsuccesful), the router logs say that there are about 10 repeated IKE key exchanges per connection attempt so the reason might be a mismatch in the IKE proposals and options since Lollipop. (The strange thing is that the same VPNGate connection works now repeatedly but not our company VPN...)
At the moment I have a recent daily of Cyanogenmod with a custom kernel installed, but it behaves the same with vanilla AOSP and other kernels too.

Thanks!

Here the same! My HTC One M8 can't connect to my VPN with L2TP/PSK after upgrading to 6.0.
My old HTC One M7 with 5.0.2 is still able to connect the same VPN Server.

I have issues as well, it is related to l2tp ipsec over nat, description in this thread: https://discussions.apple.com/thread/7002633?start=0&tstart=0

I'm having the same issue (Nexus 5 with 6.0.1 connecting to VPN router with L2TP PSK). I don't recall having this issue before upgrading to marshmallow.
The phone just shows connecting for a long time then times out with an unsuccessful message. My router doesn't show any VPN error in its log files at all - it shows some log activity when you first start a connection but then quickly stops and logs nothing, as though the device just stops communicating.

The same here, on a Draytek Router and a HTC M8.The connection wroked before the Update to Android 6.0.

Here the same! My HTC One M8 can't connect to my VPN with L2TP/PSK after upgrading to 6.0.

Am experiencing the same issue on 6.0.1 on a Nexus 5X.

I have been having the same issue as described here. Since updating the software version to 6.0 on our Moto X Play devices (5 in total), all 5 cannot connect to l2tp VPN connection, with no related issue prior. There have been no issues connecting to our VPN with other devices. This was tested on both our VPN servers - 100% fail rate with the update to 6.0, 100% success rate on other operating systems.

I have not found how to extract a debug log from my device yet, but I will send it over when possible.

Please note that I have checked the logs on one of the VPN servers and the error that seems to stand out is: "VPN Decryption Failed - Pad error.". This is for a SonicOS device, alert ID 1388. I have also noticed that the VPN sees the ISP NAT IP for the connection rather than the local IPs, so I'm thinking maybe this is a DHCP issue, going outside the tunnel.

Successful connection: (VPN Policy: WAN GroupVPN; 172.18.0.0 / 255.255.255.0 -> 172.18.31.7)
Failed connection: (VPN Policy: WAN GroupVPN; [Public VPN Server IP] -> [Carrier-grade Nat Rfc6598 IP]).

I do have a log file near, but will not post it for security reasons. I could supply this file directly and after cleaning up the sensitive information if believed to help in resolving this.

I too have a stock NEXUS 5 and NEXUS 7 running 6.0.1 and security patched to February 2016. It too fails an L2TP/IPSEC connection that did once work. According to openBSD (5.8), the "general error" is: message_negotiate_sa: no compatible proposal found.

Regardless of my server side proposal, the android responds with something completely different.  Ask PSK, you offer RSA. Ask RSA, you offer CA/X509. It's like a table is skewed.  This is true for enc and ah and keyex params.  

Help.

same issue here... Nexus 6P on 6.0.1

I'm having the same problem (Samsung S3 i9300 with Android 6.0.1 connecting to VPN router with L2TP PSK). I've attached a ADB log file. I hope this helps!

Can the priority on this get upgraded please?  This bug makes it impossible for our staff to use their devices for work.

Yeah, please upgrade the priority.  All my android devices are nexus and have this problem so I'm having to use workarounds to do remote work.

+1 from me, I would assume such a critical system feature being broken would have started with a higher priority. It's obvious that it's a used feature.

 
Juste dead block for me

Same problem on my Nexus 6p with 6.0.1 Works fine on Samsung s5 with android 5.0

Driving me crazy. I can't do any work now on my Nexus7 if I'm not in the office.  How can inability to use a secure connection be regarded as a 'small' priority?  Please can the priority of this be increased, and can someone post back when a fix is likely?  Many thanks

I am in total agreement on the fact that this issue should have a higher priority. It is inexcusable that I cannot use my work device for work anymore.

Thanks for updating with your inputs. I increased the priority for this issue and will update you as soon as possible...

I came across this bug just today; we rarely use Android as a VPN client.

I'm reasonably certain this bug is a duplicate of:
https://code.google.com/p/android/issues/detail?id=194269

Android is requesting a SHA2 HMAC, but it is using a DRAFT version that is incompatible with the final RFC.

Operators who have libreswan on the server side can enable "sha2-truncbug=yes" but doing so will break all other clients that support the proper SHA2 HMAC.

I'm confused as to why this would be an issue, as Libreswan's documentation indicates that it affects very old platforms, such as "Linux before 2.6.33", unless the Android developers specifically enabled the DRAFT behavior.

Issue is also present on the Samsung Galaxy S7, which uses Android 6.0.1.

Just got the March security update - full of hope that Google development see security as important and this to be fixed but still no joy.  Thanks heavens for Apple - at least they take security seriously. Just curious why the press haven't picked up on this yet.  Does anyone know if 3rd party VPN clients get around this - the one I looked at just seemed to use the underlying Android code and still failed.

The VPN issue here has nothing to do with the security update via google lol..
It's NordVPN that is having the issue being able to utilize Marshmallow properly..

3rd party VPN's work great with android...

@#33
I'm not sure what NordVPN uses but my own openswan/xl2tpd-based VPN works with Linux, MacOS, ChromeOS, Android 5.x, and Windows with registry modification to enable NAT traversal. It fails on Android 6.x. My setup can be reproduced by using the setup-l2tp.sh script I posted above, on a Ubuntu server (an EC2 instance running Ubuntu will do).

In your ipsec.conf file you should add three additions,

add ,aes256-sha2_256 to both ike= and phase2alg=

Then add a newline with sha2-truncbug=yes

reload ipsec

You should now be able to connect to your VPN. I've tested it on my Nexus 5x now, and works like a charm!

NordVPN is a VPN service provider - I am not wanting to use a service provider, I am wanting to connect to my OWN business in-house VPN service using the standard Android VPN stack.  I appreciate matsjoha's suggestions above, but not sure how I go about changing the IPsec config file on a Nexus Tablet. VPN worked in v5, and it's broken in V.6, so I don't think this is an issue elsewhere, but if someone can tell me how to change the IPsec.conf file (without rooting the device), then I am up for it.  

The IPsec config file is on the VPN-server, not the client.

want to throw this Mobile to bin ...wht on earth marshmelwo came with with this shit ...

when is this going to be fixed??? i still have this issue !

Same Problem on S7 Edge with 6.0.1

Advise:
Some guy developed that with 2G Network in setup it works on his S7E, on mine not.

Link to this in german:
https://telekomhilft.telekom.de/t5/Handys-Datengeraete/Android-6-0-1-Galaxy-S7-Bug-kein-vpn-ueber-Wlan-wegen-rmnet0/m-p/1787306#M95110

I use ExpressVPN and it was working perfectly fine before i updated my Samsung Note 5 to Android 6 (Marshmallow). I'm in China and nothing works without VPN. I don't understand when google will fix this issue!

My unit is Nexus 7 with Android 6.01, using for casting with Chromecast to my TV. I cast from Nexus to the TV with normally no problems. But when I use VPN L2TP/IPSec, a paid service,  and connect to SVT PLay in Sweden, I get the signal to my Nexus and can view the programs, even geo-limited, on the Nexus itself. But when I cast, it "hangs", the casting icon just blinks without sending the "content" from Nexus to the TV. On my laptop with Windows 10, everything works. When will this issue be done? I don´t know how to get out a bug report from my Nexus. If you instruct me I can send the latest one to you. My mail adress is aow.soderlund@gmail.com.  Kind regards from Arne Söderlund/Portimao/Portugal.  

I am experiencing this myself on my Nexus 6 and Nexus 7 that both have Android 6.0.1 as well as my daughter's Cyanogenmod tablet that has the equivalent of Android 6.0 on it.

My l2tp/IPsec server is my private router running OpenBSD 5.8 using isakmpd/npppd.

It was working some time prior to November of last year (don't use this VPN feature frequently).  And now it only works on my son's not yet upgraded tablet that still runs Android 5.0.x, Chromebook fully updated, work iPhone running latest iOS 9.3 as well as Windows 10 computer.  But I originally setup my VPN access to home for my phone and tablet to use securely while on work WiFi or on any other WiFi I do not trust.

I noticed that any combination of authentication MAC makes almost no difference, as does the encryption algorithm so long as you specify Diffie Hellman group size of 1024 (while all other clients including Chromebook support 2048).

What's even more perplexing is that the Chromebook will only work despite the DH group size of 2048 only with hmac-md5 rather than any of the sha's.

When I pick a workable set of proposals for my Nexus 6 or Nexus 7, I get no IPsec errors in the log and my OpenBSD server logs a valid IPsec SA established and I can see the flows, no traffic appears on enc0 and npppd never see's a connection attempt.  However a tcpdump on the external interface shows the Nexus device sending some kind of encrypted traffic that apparently the OpenBSD box considers invalid and silently drops.  It's not caused by overzealous firewalling as nothing related shows up in pflog0 when I tcpdump that either.

I would really appreciate this getting fixed and preferably bumping support for the Diffie Hellman group size to at least 2048 so I can run a single config that's compatible with most everything except the Chromebook.

Thanks!

Same issue on a stock samsung galayx s7 and a nexus 5 with cm13. L2tp/ipsec psk - try to connect but no log entry on a mikrotik routerbard. Test with same vpn on a samsung galaxy s3 is successful.

Same issue on a Samsung Galaxy S6 with Android 6.0.1.

I had an update in the past week on my samsung s6 and it works fine. Android 6.0.1

Doesn't work on my Samsung S6 on Marshmallow 6.0.1 either.
Works on my Samsung S4 on Lollipop 5.1
Both connecting to DrayTek router.

LG G4 Android 6.0 it doesn't work as well.

Same issue on Nexus 6 cm13 build 20160325 (6.0.1)

samsung s6 edge android 6.0.1. same issue can't connect to any VPN services.

Same on Samsung S7 6.0.1. I'm not surprised Android team broke something again. VPN is a business feature, try to at least test things before pushing to public. Cost me 2 hours of debugging and googling to figure out what's wrong with my VPN server.

[Comment deleted]

SYA - any update on whether anyone is looking into this?  Interesting comment in #53 by atskiiso re VPN being a business feature - the absence of VPN means I cannot use my new Android devices for business.  Even when Google fix it, I figure it could be months before the manufacturers incorporate the fix into their builds..  

nexus 5/6 with the same problem! We 've been waiting 6 months on an update of google . google ignores the problem easy! we will switch to iphone , as does the vpn !

Why does this issue still have priority "small" when in post #29 the owner aid it had been increased?

Doesn't work on my Samsung S6 on Marshmallow 6.0.1 either. Did work on Lollipop.
Works on my Samsung S3, no problem.
Could not get it to work on L2tp/ipsec psk or OpenVPN.

Update for Android 6.0.1 OpenVPN (OpenVPN client free):
When the battery saving option is off the OpenVPN connection is working again. This is 100% reproducible by switching the battery saving option on and off.
Still no luck (battery saving toggle does not affect) for the  L2tp/ipsec psk connections though.

it does not work with Nexus 6 ( 6:01 . ) !!! Last stand : windows phone 10 : VPN L2TP = no problems !!! IOS > 8.0 : VPN L2TP = no problems !!! Android > = 6 does nothing !!! We have a lot of business accounts with Goggle and currently more than 80 % of our employees are mobile Unable to work !!! This is not an option !!!

[Comment deleted]

[Comment deleted]

I have the impression that you develop your toy phones just for kids .....

Hi, i've the same problem wit nexus 6p. Connexion impossible L2TP and PPTP
By cons, if I use the phone to share the wifi connection with my computer and I turn the VPN on the computer no worries.

Same problem on Nexus 6 and LG G5, both on 6.0.1

Honor 7 running EMUI 4.0 (Android 6.0) also having issues :-(

Samsung Galaxy S4 (5.1.1) = OK
Samsung Galaxy S6 (6.0.1) = FAIL
LG G4 (5.1.1) = OK

Seems it is in the Android 6.

No change after the recent April update. So much for being "critical" :D

I have found a work around.  If you can force your VPN server (assuming you
are in control of it the way I am with mine), and can force it to use SHA1
instead of SHA2 then it works.  It seems the version of SHA2-256 that
Android 6.x.x is using is an older draft specification and the one
implemented in many other IPsec implementations uses the official SHA2-256
implementation with the correct padding and whatever else.

Has anyone else tried this?  I have it set on my server and works with both
new and old Android.  Though I am not fond of having to intentionally
weaken my security strength by having to run an older hash algorithm but
considering we can't use Diffie Hellman group larger than 1024 bits anyhow,
seems like a moot point.

Sly

After the switch to 6.0.1 my VPN connection didn't work anymore. It turned out that the power saving mode was the culprit. Once I added my vpn app to the apps that cannot be optimized my VPN connection worked again.

#71 - I thought the problem is in the base Android Kernel.  What specific 'app' or function are you excluding from optimization?  I am not using any add-on app, I (and it seems some others) are using the base Android function to (try to) access a  router (over which I/we have no control)

Having the same setup and the same problem. Nexus 6, Android 6.0.1. L2tp/ipsec psk never worked on my Nexus 6 since I bought it one year ago. :-(

I have the same problem after upgrade to 6.0 on my stock samsung galaxy s6 android (now)6.0.1. Did not change my configuration and other devices still work. Workt perfectly on android 5.x. problems started the minute after the upgrade to 6.0.

L2tp/ipsec psk is my protocol

Another software update last night on my samsung galaxy s6 and pleased to say my vpn (ipvanish ) continues to work with no issues.

I also got the security update of 01 march '16. L2tp/ipsec psk still not working on the galaxy s6 android 6.0.1

@Neil do you have a reference to the changelog of your update?

April security update is also not fixing the VPN for me (not that I had expected that).

@thefunkw..

http://security.samsungmobile.com/smrupdate.html#SMR-MAR-2016

Does ipvanish use L2TP IPSEK PSK?  The only info I could find referred to PPTP which does not encrypt passwords for initial session setup so is in itself a security exposure.  Maybe as a public service they are ok with that but if you are connecting to your own VPN servers then PPTP is a very very bad idea.  We got PPTP to work but it's too great an exposure to our internal network.

If this an example of the degree of urgency that so-called 'critical' updates are given, I'd hate to see what happens to ones of a lesser urgency!

There doesn't seem to be any resource constraints within Google's software development team that prevent them from implementing numerous random and confusing changes to Android apps with alarming regularity though.

Like everyone above, my L2TP/IPSEC with PSK works perfectly fine on all my other devices and my HTC m7 with Android 5.0; I _NEED_ VPN to work for effective running of my business; right now I'm using my phone as a hotspot to relay the VPN connection from an iPad. Can we PLEASE get this fixed ASAP? By the way, the "power saving" trick described above doesn't work for me; I'm using the Android VPN utility (in Settings/More Connection Settings) that came with the Galaxy S7. Haven't tried shifting to SHA1 yet.

I'm on a Moto X Pure and I'm having the same issue since running an upgrade.

The vpn doesn't work anymore in my note 5 after the update 6.0.1 anyone have a solution for this issue ??

#83 nkq18, and #81 deanecox.  I hit this issue last December.  My fix was to buy Iphones for us all (okay, I'm a small business so it was only 4).  They just work and we've had zero issues - with hindsight I have secured 6 months of productivity so it was a good decision.  We still have some Android devices but due to remote access issues they are not much use anymore. I will never buy Android again - maybe this is why most of my corporate clients are switching from BB to Appl. Much as I hate proprietary Apple and it's cost, I cannot believe Apple would have taken 6 months to do basically nothing on a security glitch.  Google clearly do not take security seriously, nor business reliability.  

This is a critical bug that impacts (not only) businesses running Android 6. Is there any chance this gets fixed after almost half a year after reporting?

This bug is a no-go for Android in business use. What do you expect your users to do? Switch to an extremely unsecure PPTP VPN?

I WAS happy when my lenovo P1 Vibe upgraded MM 6.0.1. But now because of this bug I cannot connect to my work VPN, thanks google!
Is there any workaround solution other than changing server side configuration?

FYI I managed to get around this on my Synology RT1900AC router by editing the ipsec.conf file as outlined in post #35. I didn't have an ike= or phase2alg= line, so only needed to change sha2-truncbug= from no to yes and reboot, and it works again!

Change on my NAS synology DS214+ as stated in post #87, works great! Happy now

Is lorenzo@google.com (owner) still live ?

Hi,

We are working on this issue. Your patience is much appreciated and we will update the bug when the issue is fixed.

Thanks...

Will this make it into a security update? It was working on my Samsung S7 Edge until the April security update was installed. Hoping that maybe the June security update will fix it????

Surprise! Surprise! The issue is not resolved in May Update! The ninth month without VPN! Possibly the issue in May 2020 update fixed! Good work Google!!!

Dear all i had the sam problem , i sloved with removing the vpn app from the optimization list

[Comment deleted]

Have issues with LG G5, Gpad 8.3, Nexus 7, and Nexus 6 all on 6.0.1; Moto X on 5.1 works fine.

[Comment deleted]

I have the same problem after upgrade to 6.0.1 on my stock samsung galaxy Note 4.
I am very disappointed by samsung

Same problem on LG G3 D855 - Can no longer connect to Draytek routers with VPN L2TP IPSEC using PSK

I'm having the same problem NEXUS 5 with Android 6.0.1 MOB30H

Same Problem After update from Android 5 to 6 on my Galaxy s5. Also on new Galaxy s7. Same VPN connection works  fine on my tab s2 with 5.0.2.
Neccessary to  solve the  problem because  i am using  it on business.

This used to work on my HTC One M8, until I got the 6.0 update, then it wouldn't work. I just purchased the HTC 10, which came with 6.0.1 and it doesn't work.

@sly.midn...@gmail.com: I DO control the VPN at work, and it is using SHA1 (always has), and it still doesn't work.
My settings:
SonicWall VPN
IKE using Preshared secret

IKE (Phase 1):
Group2, 3DES, SHA1, 28800
IPSec (Phase 2):
ESP,3DES, SHA1, 28800 (PFS is off)

If you can post your VPN settings that work, maybe I can change our VPN so it will work.

I only have a small number of people (about 6) using the VPN, some from Windows, some from Macs and iPads, and the VPN works for all of those platforms, so I am hesitant to change anything. But, if the changes require changing their settings, it is doable.

Really stupid that this issue has not been resolved in all this time!

Griffin

I get it to work with SHA1 AES modp1024 only. Anything else and it fails to
connect but with SHA2-256 it connects but doesn't pass any traffic.

Sly

This is really a JOKE...

Yes this is like a joke ! And google ignores the problem with absolute obstinacy !!!

Having the same issue on Samsung S6 / Android 6.0.1_0006

- Are there any updates / workarounds on this issue? Such a deal breaker using Androids in a business environment; shame!

Confirmed VPN working over L2TP/IPsec working on other devices and competitors - fails on Android 6.0.1.

Device Info / debug file excerpt (IP addresses masked) :

========================================================
== dumpstate: 2016-05-21 00:10:44
========================================================

Build: MMB29K.G920FXXU3DPDR
Build fingerprint: 'samsung/zerofltexx/zeroflte:6.0.1/MMB29K/G920FXXU3DPDR:user/release-keys'
Bootloader: G920FXXU3DPDR
Radio: unknown
Network: Optus
Kernel: Linux version 3.10.61-7169835 (dpi@SWDD6516) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Sat Apr 23 23:38:07 KST 2016
Command line: console=ram loglevel=4 sec_debug.level=0 sec_watchdog.sec_pet=5 androidboot.hardware=samsungexynos7420 androidboot.debug_level=0x4f4c ess_setup=0x46000000 sec_tima_log=0x200000@0x48002000 sec_avc_log=0x40000@0x48204000 charging_mode=0x0 s3cfb.bootloaderfb=0xe2a00000 lcdtype=4194323 consoleblank=0 lpj=239616 sec_debug.reset_reason=7 ehci_hcd.park=3 oops=panic pmic_info=35 cordon=45144cb40411ad93ac150a7c9e058726 connie=SM-G920F_OPEN_EUR_472fd333a7cdd593042b72e5dfabaa02 fg_reset=0 androidboot.emmc_checksum=3 androidboot.boot_salescode= androidboot.odin_download=1 androidboot.bootloader=G920FXXU3DPDR androidboot.selinux=enforcing androidboot.security_mode=1526595585 androidboot.ucs_mode=0 androidboot.hw_rev=11 androidboot.warranty_bit=0 androidboot.hmac_mismatch=0 androidboot.sec_atd.tty=/dev/ttySAC1 androidboot.serialno=031603a455ae1b01 snd_soc_core.pmdown_time=1000 zero_sdchg_ic=0 androidboot.fmp_config=1

------ HW REVISION (/proc/device-tree/model_info-system_rev) ------
011

------ UPTIME (uptime) ------
up time: 01:14:44, idle time: 06:53:42, sleep time: 00:04:59
[uptime: 0.020s elapsed]

------ UPTIME MMC PERF (/sys/block/mmcblk0/) ------
------ MEMORY INFO (/proc/meminfo) ------
MemTotal:        2744168 kB
MemFree:           45960 kB
Buffers:            2468 kB
Cached:           339780 kB
SwapCached:       165744 kB
Active:           413328 kB
...

05-21 00:07:30.091  3510  5082 D ConnectivityService: getVpnConfig > userId : 0
05-21 00:07:30.091  3510  5082 D ConnectivityService: getVpnConfig > session : MyVPN
05-21 00:07:30.271  3047  4172 I SurfaceFlinger: id=671 Removed JnputMethod (6/8)
05-21 00:07:30.271  3047  3120 I SurfaceFlinger: id=671 Removed JnputMethod (-2/8)
05-21 00:07:30.281  3047  3047 D libEGL  : eglTerminate EGLDisplay = 0x7fc3ec4e18
05-21 00:07:30.341  2710  2710 D racoon  : Received 6 arguments
05-21 00:07:30.341  2710  2710 I racoon  : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
05-21 00:07:30.521  2710  2710 I racoon  : XXX.XXX.X.X[500] used as isakmp port (fd=11)
05-21 00:07:30.521  2710  2710 I racoon  : XXX.XXX.X.X[500] used for NAT-T
05-21 00:07:30.521  2710  2710 I racoon  : XXX.XXX.X.X[4500] used as isakmp port (fd=12)
05-21 00:07:30.521  2710  2710 I racoon  : XXX.XXX.X.X[4500] used for NAT-T
05-21 00:07:30.591  4158  4158 E audit   : type=1415 msg=audit(1463753250.591:272): op=SPD-add auid=4294967295 ses=4294967295 subj=u:r:racoon:s0 res=1 src=XXX.XXX.X.X dst=XXX.XX.XXX.X
05-21 00:07:30.601  4158  4158 E audit   : type=1300 msg=audit(1463753250.591:272): arch=c00000b7 syscall=206 success=yes exit=128 a0=d a1=7f9bf0f500 a2=80 a3=0 items=0 ppid=1 ppcomm=init pid=2710 auid=4294967295 uid=0 gid=1016 euid=0 suid=0 fsuid=0 egid=1016 sgid=1016 fsgid=1016 ses=4294967295 tty=(none) comm="racoon" exe="/system/bin/racoon" subj=u:r:racoon:s0 key=(null)
05-21 00:07:30.601  4158  4158 E audit   : type=1327 msg=audit(1463753250.591:272): proctitle="/system/bin/racoon"
05-21 00:07:30.601  4158  4158 E audit   : type=1320 msg=audit(1463753250.591:272):
05-21 00:07:30.601  4158  4158 E audit   : type=1415 msg=audit(1463753250.591:273): op=SPD-add auid=4294967295 ses=4294967295 subj=u:r:racoon:s0 res=1 src=XXX.XX.XXX.X dst=XXX.XXX.X.X
05-21 00:07:30.601  4158  4158 E audit   : type=1300 msg=audit(1463753250.591:273): arch=c00000b7 syscall=206 success=yes exit=128 a0=d a1=7f9bf0f500 a2=80 a3=0 items=0 ppid=1 ppcomm=init pid=2710 auid=4294967295 uid=0 gid=1016 euid=0 suid=0 fsuid=0 egid=1016 sgid=1016 fsgid=1016 ses=4294967295 tty=(none) comm="racoon" exe="/system/bin/racoon" subj=u:r:racoon:s0 key=(null)
05-21 00:07:30.601  4158  4158 E audit   : type=1327 msg=audit(1463753250.591:273): proctitle="/system/bin/racoon"
05-21 00:07:30.601  4158  4158 E audit   : type=1320 msg=audit(1463753250.591:273):
05-21 00:07:30.811  2932  2932 I FIPS_bssl: FIPS approved mode (1) | 2932 | /system/bin/mtpd
05-21 00:07:30.811  2932  2932 D mtpd    : Waiting for control socket
05-21 00:07:31.101  2932  2932 D mtpd    : Received 20 arguments
05-21 00:07:31.101  2932  2932 I mtpd    : Using protocol l2tp
05-21 00:07:31.101  2932  2932 I mtpd    : Connecting to XXX.XX.XXX.X port 1701 via wlan0
05-21 00:07:31.111  2932  2932 I mtpd    : Connection established (socket = 12)
05-21 00:07:31.111  2932  2932 D mtpd    : Sending SCCRQ (local_tunnel = 36321)
05-21 00:07:31.111  2710  2710 I racoon  : IPsec-SA request for XXX.XX.XXX.X queued due to no phase1 found.
05-21 00:07:31.111  2710  2710 I racoon  : initiate new phase 1 negotiation: XXX.XXX.X.X[500]<=>XXX.XX.XXX.X[500]
05-21 00:07:31.111  2710  2710 I racoon  : begin Aggressive mode.
05-21 00:07:31.131  3510  5037 D ConnectivityService: getVpnConfig > userId : 0
05-21 00:07:31.131  3510  5037 D ConnectivityService: getVpnConfig > session : MyVPN
...
05-21 00:08:01.371  2710  2710 I racoon  : Bye
05-21 00:08:01.561  3510  2709 I LegacyVpnRunner: Aborting
05-21 00:08:01.561  3510  2709 I LegacyVpnRunner: java.lang.IllegalStateException: racoon is dead
05-21 00:08:01.561  3510  2709 I LegacyVpnRunner:       at com.android.server.connectivity.Vpn$LegacyVpnRunner.execute(Vpn.java:1863)
05-21 00:08:01.561  3510  2709 I LegacyVpnRunner:       at com.android.server.connectivity.Vpn$LegacyVpnRunner.run(Vpn.java:1536)
05-21 00:08:01.561  3510  2709 D Vpn     : setting state=FAILED, reason=racoon is dead
05-21 00:08:01.561  3510  2709 I LegacyVpnRunner: Ignore exception
05-21 00:08:01.561  2932  2932 D mtpd    : Timeout -> Sending SCCRQ
05-21 00:08:01.581  2932  2932 I mtpd    : Received signal 15
05-21 00:08:01.581  2932  2932 D mtpd    : Sending STOPCCN
05-21 00:08:01.581  2932  2932 I mtpd    : Mtpd is terminated (status = 5)

========================================================

I have the same problem on my BlackBerry PRIV, pls pls pls fix!

I had the same problem.
Then I just found the OPENVPN Connect Android app, and it just works now.

https://play.google.com/store/apps/details?id=net.openvpn.openvpn

Using Samsung Galaxy S4 i9505 with Resurrection Remix v5.6.9 Marshmallow (CM13 based).

Let me know, if helps anybody else.

My note 4's VPN doesn't work after upgrade to 6.0.1
It looks like Google helps NSA by not resolving this critical bug aftee 9month

What an unprossional arrogant  behavior - google devs!!

HTC M9, Work has VPN L2TP/IKE. Can no longer use. I've tried another program and it said that there was an invalid exchange, but would not specify what.

Did you try the OPENVPN Connect Android app?
I was able to use it successfully connect  to my work computer.
https://play.google.com/store/apps/details?id=net.openvpn.openvpn

Using Samsung Galaxy S4 i9505 with Resurrection Remix v5.6.9 (CM13 based).

This has been 6 months now and frankly can't be hard to fix - likely just a parameter.  Is ANYONE working on it?  What's the status and outlook?  

Can anybody confirm that OPENVPN is working with the software I successfully use?

Some Threae from German Telekom community says rmnet0 makes the problem. Also it will work when LTE is switched off and only 3G is on.

Not workint for me but maybe helps.

Hi,

This issue is fixed internally and fix will be available in future releases.

Thanks...

Also seeing issue on BlackBerry PRIV on Marshmallow

Just downloaded the new update and I still can not connect to my VPN. Galaxy S7

#114 sya...@google.com
Hi,

This issue is fixed internally and fix will be available in future releases.

Thanks...
Status: FutureRelease

Which is akin to an answer for how long a piece of string is...
Any further details would be great, new Samsung update still does not have this fix and I continue to have to use another phone just to be able to obtain much needed work access.

> This issue is fixed internally and fix will be available in future releases.

More details please. Will this be fixed in the next update for the 5x?

Click advanced, enable backwards compatible mode...

Solved the problem for me.

no option 'backwards compatible mode' on my phone....

[Comment deleted]

I have the same issue on Android 6.0.1 (Nexus 5X). I tried to update it to Android N (NPD56N) - I didn't help. Ipsec works fine on iphones, win 10, android 4.4 devices.
And i tried to use md5 for hash and tried to change PFS to modp1024 - didn't help for me.
Can anybody say, when fix will be available for download?

I found solution: if you are using libreswan for ipsec, you follow this instructions (which helped me)
Android 6 (Marshmallow) users should edit /etc/ipsec.conf on the VPN server and append ,aes256-sha2_256 to both ike= and phase2alg= lines. Then add a new line sha2-truncbug=yes immediately after those. Indent lines with two spaces. When finished, run service ipsec restart
Original posted here (see Note)  : https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android 

Sony xperia z5p  on Android 6.0.1,NG....

Sony xperia z5p  on Android 6.0.1,NG....

Hey
yesterday i bought the S7, and had the same problem.
VPN works fine with Galaxy S5 (Android 5.x), doesnt work with S7 (Android 6.01).

i'm from germany and with a hint in a user forum from a service provider (Telekom) IT NOW WORKS with VoLTE (Voice over LTE, 4G) deactivated!
If this is not an option in the US, perhaps try to use 2G or 3G ??

it only works after rebooting!

Gaaaa!  My Samsung Note 4 updated to 6.0 Marshmellow and now my VPN connections fail to connect like the others.  I am a network admin, I have to have access to my network.  Is there no solution?

Same problem here.
I have samsung galaxy note 5 vrs6.0.1 and i tried more than 10 different VPN apps and still no one work for me.
Please any help, it is definitely an issue from the android version since with my other android phone vrs 5.x all work good and as they should.1

Also having this issue on multiple 6.0.1 devices! Please push a fix Google!!

Freaking crazy you, Google! Are you building an NSA-phone here, or how can it take half a year (and still counting) to fix VPN?

Google please confirm it is fixed with security update July

I've installed the July 1 update and it's still not working, so this release obviously didn't get the fix. Please advise WHEN this fix will be applied (not just "future releases)!!

its a shame that such a essential feature is not fixed.
I´m using Honor 7 with all latest updates

I can confirm that the problem occurs at the OnePlus 3 (Android 6.0.1) in combination with a Synology DS213+ VPN server DSM 6.0.1-7393 Update 1 (latest update)

I am having the same problem however it only appears for me when using Android 6 on a Nexus 6P which is connected to IPv6 only PDP using 464XLAT to connect to the IPv4 only VPN server (Strongswan 5.3.3). If I use native IPv4 it works fine, also if I use either IPv6 or IPv4 on a Nexus 5 there are no issues for me, same if I use a Galaxy Note 3 on IPv4 or IPv6, no issues.

Can anybody please confirm if this behavior is consistent with the issue reported here?

****### POSSIBLE SOLUTION ###****

I had Opera MAX installed on my phone and the VPN key used to appear only for Opera. Assuming it might have made changes to the VPN service or settings that are affecting the other VPN apps, I force-stopped the Opera MAX service (in settings > apps). This helped, I'm now able to tunnel through using my other VPN apps.

Same problem,  i think about an iphone...

This is a critical bug! I can not use my Galaxy S7 to work! Google should immediately release the fix!

[Comment deleted]

Same problem!!! In new Galaxy s7!!! Google became a corporation Like Microsoft - shit at all, only in money intrested!

time for a fix?

IVE MANAGED TO GET IT WORKING!!!
Ever since upgrading my xperia z2 to android 6 my VPN connections stopped working (using IPsec with PSK). This is what I did to get it connecting... Click the settings icon (the cog) next to your vpn profile, tick Show Advanced Options then scroll down to the bottom and Enable the Backwards-compatible mode option. Now connects :) Im running android 6.0.1.

I've tested on my Samsung galaxy s5 and galaxy tab s2.
before updated from android 5 to 6 the OpenVPN works without any problems.
After the update several problems occur :
The App starts and connects to the Server and initializes the tun0 Interface, as I could see via command "ip r l", but none of the pushed routes are set.
Second problem, the new power save rules kill the connection.
Looking at the log file shows an "Operation not permitted" error for each rooting post. So I tried it manually with "ip r add x.x.x.x/16 via x.y.z.n" and got the same message. so I think the origin of the problem is clear. The App has not enough permission to set the routes and i'm afraid for setting the new DNS-Server could be the same. (I can't test at the moment)  

With regards #143, on my nexus 5x there isn't the option 'backwards compatible' at the advanced options....

Same problem on 6.0.1. Please fix.

Same problem with 6.0 and Huawei P9

Same issue with Galaxy Tab A.  Works fine on my other Android devices running 6.0.1

Google, what's the workaround while waiting for future releases? Can't use my Nexus 7 for work now.

Ok, last time I'll buy a google phone. August update still not fix this major problem. Thank you google.

Same issue on moto e gen2 with Android 6.0. please fix it quickly!

Same issue on moto e gen2 with Android 6.0. please fix it quickly!

[Comment deleted]

The same on SGS 5 (SM-G900F), android 6.0.1, MMB29M.G900FXXS1CPG2

This is ridiculous, same issue on S7 edge. Google get it fixed already!

[Comment deleted]

I've got the same issue...
CM13 on my General Mobile Android One 4G :-(

[Comment deleted]

I am able to reproduce the issue on a OnePlus 3 running 6.0.1.

same thing, nexus 5, 6.0.1

Same issue galaxy s7. Annnoying.

Same issue - on both my Nexus 7 2013, and my Samsung Galaxy S5 after the Marshmallow update.

SONY somehow fixed this on their 6.0.1 ROM(s). I'm able to connect to my Synology L2TP/IPSec VPN fine. I DO have to enable some 'Legacy mode' checkbox, that doesn't seem to be stock.

Try the solution pointed out in #60
Works for my S5 neo

for OVPN

Android 7.0 stock on Nexus 5x, still same problem

Same problem on SAMSUNG J5 / Android 5.1.1.

---
$[i] ip route add 172.18.16.0/22 dev tun0
RTNETLINK aswers: Operation not permitted
---
And of course my private network is not listed in my tun0 routes, so the app connect fine but I can't go anywhere. Una bosta realmente! FIX IT!

Same issue as mentioned above with regards to L2TP/IPsec VPN connections.
(#60 comment does not resolve L2Tp/IPsec connections, just fix for OpenVPN)

Phone: LG 5 (6.0.1)
Cannot connect to L2Tp/IPsec VPN in 6.0.1  (works with 5x running 5.1.1)

Something is definitely broken in 6.0.1 across all phone (see all comments above!) with L2Tp/IPsec VPN.

Please fix Google.

On an LG G4 and same issue... had an andoid update a few days ago - still no fix. I'm on 6.0