[Swan] IKEv2 connection from Android drops after a few minutes

Paul Wouters paul at nohats.ca
Thu Mar 5 21:30:37 UTC 2020 

On iPhones, any wake up from sleep or network change will send a MOBIKE UPDATE message. I don’t know about strongswan client behaviour.

It might be a strongswan bug. 


Sent from my iPhone

> On Mar 5, 2020, at 16:21, Beat Zahnd <beat.zahnd at gmail.com> wrote:
> 
> What trigger the client to send such cookies when staying on the same network? Shall the be sent periodically?
> 
> Because if im on GSM with stalled VPN, and then I switch on WiFi, I see the MOBIKE COOKIE on the server:
> 
> Mar  5 22:12:59 core pluto[12227]: | MOBIKE COOKIE2 received:
> Mar  5 22:12:59 core pluto[12227]: |   92 5b 56 f3  22 1c 3e 2d  e0 75 53 63  ca 70 a1 76
> Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7:  success MOBIKE update remote address 178.197.x.x:0 -> 10.76.1.183:46671
> Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: MOBIKE request: updating IPsec SA by request
> 
> And switching back to GSM / disabling WiFI:
> 
> Mar  5 22:18:36 core pluto[12227]: | MOBIKE COOKIE2 received:
> Mar  5 22:18:36 core pluto[12227]: |   b6 34 90 91  5f 0d ef 86  fa 50 bd 2a  b1 29 c3 c8
> Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7:  success MOBIKE update remote address 10.76.1.183:46671 -> 178.197.x.x:33096
> Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: MOBIKE request: updating IPsec SA by request
> 
> But I never see MOBIKE COOKIEs when the phone is waking up from sleep...
> 
> Is this a strongswan app issue?
> 
> 
> 
>> On 5 Mar 2020, at 21:40, Paul Wouters <paul at nohats.ca> wrote:
>> 
>> On Thu, 5 Mar 2020, Beat Zahnd wrote:
>> 
>>> Do not yet really understand how the client (mobile phone) shall detect that the cellular proider NAT changes the port number.
>> 
>> It tells the server in a newly encrypted packet that "My IP/port might
>> have changed, use whatever this packet arrived in as the new IP/port".
>> 
>> So without the client knowing it, the server knows it and can just
>> respond. The "newly encrypted" packet has a sequence number so an
>> attacker cannot replay an old packet with a bogus IP/port as denial
>> of service attack.
>> 
>>> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the Android standard VPN client this was never a problem.
>> 
>> maybe racoon prevented your phone from going into sleep mode completely?
>> 
>> Paul

More information about the Swan mailing list