[Swan] IKEv2 connection from Android drops after a few minutes

Beat Zahnd beat.zahnd at gmail.com
Thu Mar 5 21:21:04 UTC 2020 

What trigger the client to send such cookies when staying on the same network? Shall the be sent periodically?

Because if im on GSM with stalled VPN, and then I switch on WiFi, I see the MOBIKE COOKIE on the server:

Mar  5 22:12:59 core pluto[12227]: | MOBIKE COOKIE2 received:
Mar  5 22:12:59 core pluto[12227]: |   92 5b 56 f3  22 1c 3e 2d  e0 75 53 63  ca 70 a1 76
Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7:  success MOBIKE update remote address 178.197.x.x:0 -> 10.76.1.183:46671
Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: MOBIKE request: updating IPsec SA by request

And switching back to GSM / disabling WiFI:

Mar  5 22:18:36 core pluto[12227]: | MOBIKE COOKIE2 received:
Mar  5 22:18:36 core pluto[12227]: |   b6 34 90 91  5f 0d ef 86  fa 50 bd 2a  b1 29 c3 c8
Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7:  success MOBIKE update remote address 10.76.1.183:46671 -> 178.197.x.x:33096
Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: MOBIKE request: updating IPsec SA by request

But I never see MOBIKE COOKIEs when the phone is waking up from sleep...

Is this a strongswan app issue?



> On 5 Mar 2020, at 21:40, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Thu, 5 Mar 2020, Beat Zahnd wrote:
> 
>> Do not yet really understand how the client (mobile phone) shall detect that the cellular proider NAT changes the port number.
> 
> It tells the server in a newly encrypted packet that "My IP/port might
> have changed, use whatever this packet arrived in as the new IP/port".
> 
> So without the client knowing it, the server knows it and can just
> respond. The "newly encrypted" packet has a sequence number so an
> attacker cannot replay an old packet with a bogus IP/port as denial
> of service attack.
> 
>> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the Android standard VPN client this was never a problem.
> 
> maybe racoon prevented your phone from going into sleep mode completely?
> 
> Paul

More information about the Swan mailing list