[Swan] IKEv2 connection from Android drops after a few minutes

[Paul Wouters]

On Mon, 9 Mar 2020, Beat Zahnd wrote:

> OK. Seems the android client has some unfortunate limitations...
>
>>> Is there a way to force the server to send NAT-T keep-alives to a server, just to keep the carrier NAT from timing out?
>>
>> libreswan automatically sends NAT-T keepalives every 20s if the client
>> is behind NAT (and the server is not behind NAT). But I think in your
>> case there might be double NAT happening, and your timeout happens on
>> the NAT near the client, not near the server.
>
> NAT is only on the client on the mobile carrier gateway. The server detects this properly:
>
> Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect
> Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind NAT
> Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT 178.197.x.x
> Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled 178.197.x.x
> Mar  9 23:14:44 core pluto[26250]: |  NAT-Traversal support  [enabled] add v2N payloads.
> Mar  9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24 <0xdff1b417 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331 DPD=active}
>
> But there are no keepalives from the server.

that is odd, because we even fixed a bug in 3.28 that send out TOO MANY
keepalives.

Can you also tcpdump for 30 seconds with "port 4500" and see if any
probes show up there? Once a client is connected from behind NAT. It
should look like this:

20:09:20.417203 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: isakmp-nat-keep-alive
20:09:40.399935 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: isakmp-nat-keep-alive

Nothing is logged for these events with pluto though.


Paul