在这台服务器被墙的那两天里，我尝试了让手机连接备机上的 IPSec L2TP ，但是却发现无论如何连不上。本来以为是网络问题，结果却发现 iPad 可以很轻松地连上。回头一看服务器端的日志，果然发现了一些问题。

相关日志如下：

packet from 123.123.123.123:12345: received Vendor ID payload [RFC 3947] method set to=109 
packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from 123.123.123.123:12345: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 123.123.123.123:12345: ignoring Vendor ID payload [FRAGMENTATION 80000000]
packet from 123.123.123.123:12345: received Vendor ID payload [Dead Peer Detection]
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: responding to Main Mode from unknown peer 123.123.123.123
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: STATE_MAIN_R1: sent MR1, expecting MI2
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: STATE_MAIN_R2: sent MR2, expecting MI3
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: Main mode peer ID is ID_IPV4_ADDR: '10.140.89.199'
"L2TP-PSK-NAT"[37] 123.123.123.123 #55: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: deleting connection "L2TP-PSK-NAT" instance with peer 123.123.123.123 {isakmp=#0/ipsec=#0}
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: new NAT mapping for #55, was 123.123.123.123:12345, now 123.123.123.123:54321
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: received and ignored informational message
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet
| payload malformed after IV
|   ec 0c b1 2a  d4 96 ac ec  47 8a 9f d3  9c 71 64 d3
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: sending notification PAYLOAD_MALFORMED to 123.123.123.123:54321
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet
| payload malformed after IV
|   ec 0c b1 2a  d4 96 ac ec  47 8a 9f d3  9c 71 64 d3
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: sending notification PAYLOAD_MALFORMED to 123.123.123.123:54321
"L2TP-PSK-NAT"[36] 220.249.99.240 #52: max number of retransmissions (2) reached STATE_MAIN_R1
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
"L2TP-PSK-NAT"[38] 123.123.123.123 #55: malformed payload in packet
| payload malformed after IV
|   ec 0c b1 2a  d4 96 ac ec  47 8a 9f d3  9c 71 64 d3
......

如此循环，直到 Android 报告连接超时为止。看了日志的信息之后，结合 iOS 可以轻松连接而 Android ICS 却无论如何无法连上这个事实，我严重怀疑 Android ICS 的 L2TP/IPSec 客户端有 Bug 。一搜，果然如此。

好在这个 Bug 在手机已经 root 过的情况下可以非常容易而且一劳永逸地修复——替换掉那个不停地出娄子的 IPSec 程序 racoon 就可以了。首先在手机上下载打好 patch 的二进制文件（安全性自己考虑吧）：http://code.google.com/p/android/issues/detail?id=23124#c203

然后打开手机上的终端（模拟器或者 adb shell 皆可），执行以下命令：

su
busybox mount -o remount,rw /system
busybox ls -l /system/bin/racoon
mv /system/bin/racoon /system/bin/racoon.sucker
mv /sdcard/download/racoon.bin /system/bin/racoon
chmod 0755 /system/bin/racoon
chown 0 /system/bin/racoon
chgrp 2000 /system/bin/racoon
busybox mount -o remount,ro /system
exit

接着，L2TP/IPSec 就可以正常使用了。

一点说明：上述命令里面，/sdcard/download/racoon.bin 是下载下来的文件，ls -l 是为了查看系统原本的 racoon 的属主和属组，我这里是 0 和 2000 ，请根据情况调整。

racoon 项目的主页：http://ipsec-tools.sourceforge.net/