在这台服务器被墙的那两天里，我尝试了让手机连接备机上的 IPSec L2TP ，但是却发现无论如何连不上。本来以为是网络问题，结果却发现 iPad 可以很轻松地连上。回头一看服务器端的日志，果然发现了一些问题。

相关日志如下：

packet from 123.123.123.123:12345: received Vendor ID payload [RFC 3947] method set to=109

packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

packet from 123.123.123.123:12345: ignoring Vendor ID payload [FRAGMENTATION 80000000]

packet from 123.123.123.123:12345: received Vendor ID payload [Dead Peer Detection]

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: responding to Main Mode from unknown peer 123.123.123.123

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: STATE_MAIN_R1: sent MR1, expecting MI2

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: STATE_MAIN_R2: sent MR2, expecting MI3

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: Main mode peer ID is ID_IPV4_ADDR: '10.140.89.199'

"L2TP-PSK-NAT"[37] 123.123.123.123 #55: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: deleting connection "L2TP-PSK-NAT" instance with peer 123.123.123.123 {isakmp=#0/ipsec=#0}

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: new NAT mapping for #55, was 123.123.123.123:12345, now 123.123.123.123:54321

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: received and ignored informational message

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet

| payload malformed after IV

| ec 0c b1 2a d4 96 ac ec 47 8a 9f d3 9c 71 64 d3

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: sending notification PAYLOAD_MALFORMED to 123.123.123.123:54321

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet

| payload malformed after IV

| ec 0c b1 2a d4 96 ac ec 47 8a 9f d3 9c 71 64 d3

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: sending notification PAYLOAD_MALFORMED to 123.123.123.123:54321

"L2TP-PSK-NAT"[36] 220.249.99.240 #52: max number of retransmissions (2) reached STATE_MAIN_R1

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not

"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet

| payload malformed after IV

| ec 0c b1 2a d4 96 ac ec 47 8a 9f d3 9c 71 64 d3

......

如此循环，直到 Android 报告连接超时为止。看了日志的信息之后，结合 iOS 可以轻松连接而 Android ICS 却无论如何无法连上这个事实，我严重怀疑 Android ICS 的 L2TP/IPSec 客户端有 Bug 。一搜，果然如此。

好在这个 Bug 在手机已经 root 过的情况下可以非常容易而且一劳永逸地修复——替换掉那个不停地出娄子的 IPSec 程序 racoon 就可以了。首先在手机上下载打好 patch 的二进制文件(安全性自己考虑吧)：http://code.google.com/p/android/issues/detail?id=23124#c203

然后打开手机上的终端(模拟器或者 adb shell 皆可)，执行以下命令：

su

busybox mount -o remount,rw /system

busybox ls -l /system/bin/racoon

mv /system/bin/racoon /system/bin/racoon.sucker

mv /sdcard/download/racoon.bin /system/bin/racoon

chmod 0755 /system/bin/racoon

chown 0 /system/bin/racoon

chgrp 2000 /system/bin/racoon

busybox mount -o remount,ro /system

exit

接着，L2TP/IPSec 就可以正常使用了。

一点说明：上述命令里面，/sdcard/download/racoon.bin 是下载下来的文件，ls -l 是为了查看系统原本的 racoon 的属主和属组，我这里是 0 和 2000 ，请根据情况调整。