[Swan] IKEv2 connection from Android drops after a few minutes

Paul Wouters paul at nohats.ca
Thu Mar 5 20:40:14 UTC 2020

On Thu, 5 Mar 2020, Beat Zahnd wrote:

> Do not yet really understand how the client (mobile phone) shall detect that the cellular proider NAT changes the port number.

It tells the server in a newly encrypted packet that "My IP/port might
have changed, use whatever this packet arrived in as the new IP/port".

So without the client knowing it, the server knows it and can just
respond. The "newly encrypted" packet has a sequence number so an
attacker cannot replay an old packet with a bogus IP/port as denial
of service attack.

> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the Android standard VPN client this was never a problem.

maybe racoon prevented your phone from going into sleep mode completely?


More information about the Swan mailing list