[Swan] IKEv2 connection from Android drops after a few minutes
Paul Wouters
paul at nohats.ca
Thu Mar 5 20:40:14 UTC 2020
On Thu, 5 Mar 2020, Beat Zahnd wrote:
> Do not yet really understand how the client (mobile phone) shall detect that the cellular proider NAT changes the port number.
It tells the server in a newly encrypted packet that "My IP/port might
have changed, use whatever this packet arrived in as the new IP/port".
So without the client knowing it, the server knows it and can just
respond. The "newly encrypted" packet has a sequence number so an
attacker cannot replay an old packet with a bogus IP/port as denial
of service attack.
> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the Android standard VPN client this was never a problem.
maybe racoon prevented your phone from going into sleep mode completely?
Paul
More information about the Swan
mailing list