[Swan] IKEv2 connection from Android drops after a few minutes

Paul Wouters paul at nohats.ca
Sun Mar 8 22:56:27 UTC 2020

On Sun, 8 Mar 2020, Beat Zahnd wrote:

> Subject: Re: [Swan] IKEv2 connection from Android drops after a few minutes
> Opened an issue on strongswan: https://wiki.strongswan.org/issues/3364
> It seems that there is no way for an Android app to avoid that it is suspended. No keepalives can be sent and NAT will time out.

Hopefully the native IKEv2 that should come out around July will fix all
that on Android.

> It was mentioned that a port change after NAT timeout shall be accepted by the server: https://tools.ietf.org/html/rfc7296#section-2.23 Is this feature missing on libreswan?

It is not so much missing on libreswan, as it is missing in the linux
kernel. Using MOBIKE at least causes a woken up client to fixup the
existing IPsec connection with the new port. I know iphone for example
just ALWAYS sends a MOBIKE ADDRESS_UPDATE, even if its addrress did not
change, so that the port change can be picked up by the server side.
Strongswan should really do the same.

> Is there a way to force the server to send NAT-T keep-alives to a server, just to keep the carrier NAT from timing out?

libreswan automatically sends NAT-T keepalives every 20s if the client
is behind NAT (and the server is not behind NAT). But I think in your
case there might be double NAT happening, and your timeout happens on
the NAT near the client, not near the server.


>> On 5 Mar 2020, at 22:30, Paul Wouters <paul at nohats.ca> wrote:
>> On iPhones, any wake up from sleep or network change will send a MOBIKE UPDATE message. I don’t know about strongswan client behaviour.
>> It might be a strongswan bug.

More information about the Swan mailing list