[Swan] IKEv2 connection from Android drops after a few minutes

Beat Zahnd beat.zahnd at gmail.com
Mon Mar 9 22:33:24 UTC 2020


OK. Seems the android client has some unfortunate limitations...

>> Is there a way to force the server to send NAT-T keep-alives to a server, just to keep the carrier NAT from timing out?
> 
> libreswan automatically sends NAT-T keepalives every 20s if the client
> is behind NAT (and the server is not behind NAT). But I think in your
> case there might be double NAT happening, and your timeout happens on
> the NAT near the client, not near the server.

NAT is only on the client on the mobile carrier gateway. The server detects this properly:

Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect
Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind NAT
Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT 178.197.x.x
Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled 178.197.x.x
Mar  9 23:14:44 core pluto[26250]: |  NAT-Traversal support  [enabled] add v2N payloads.
Mar  9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24 <0xdff1b417 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331 DPD=active}

But there are no keepalives from the server.

On the server NAT is only for non-ipsec traffic:

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   34  2664 RETURN     all  --  *      vlan5   0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
4193K  487M MASQUERADE  all  --  *      vlan5   0.0.0.0/0            0.0.0.0/0        

as explained in https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working




More information about the Swan mailing list