[Swan] IKEv2 connection from Android drops after a few minutes

Beat Zahnd beat.zahnd at gmail.com
Wed Mar 11 12:01:57 UTC 2020


I run 3.27 which is last version on stable Debian.

I have none of the isakmp-nat-keep-alive packets sent by the server. I
see the ones sent by the strongswan Android app. I checked if
netfilter is dropping something but this is not happening.

Are the NAT-T keepalives fully independent from the DPD keepalives?
dpddelay is 12h...

Cheers, Beat

On Wed, Mar 11, 2020 at 1:13 AM Paul Wouters <paul at nohats.ca> wrote:
>
> On Mon, 9 Mar 2020, Beat Zahnd wrote:
>
> > OK. Seems the android client has some unfortunate limitations...
> >
> >>> Is there a way to force the server to send NAT-T keep-alives to a server, just to keep the carrier NAT from timing out?
> >>
> >> libreswan automatically sends NAT-T keepalives every 20s if the client
> >> is behind NAT (and the server is not behind NAT). But I think in your
> >> case there might be double NAT happening, and your timeout happens on
> >> the NAT near the client, not near the server.
> >
> > NAT is only on the client on the mobile carrier gateway. The server detects this properly:
> >
> > Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect
> > Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind NAT
> > Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT 178.197.x.x
> > Mar  9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled 178.197.x.x
> > Mar  9 23:14:44 core pluto[26250]: |  NAT-Traversal support  [enabled] add v2N payloads.
> > Mar  9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24 <0xdff1b417 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331 DPD=active}
> >
> > But there are no keepalives from the server.
>
> that is odd, because we even fixed a bug in 3.28 that send out TOO MANY
> keepalives.
>
> Can you also tcpdump for 30 seconds with "port 4500" and see if any
> probes show up there? Once a client is connected from behind NAT. It
> should look like this:
>
> 20:09:20.417203 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: isakmp-nat-keep-alive
> 20:09:40.399935 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: isakmp-nat-keep-alive
>
> Nothing is logged for these events with pluto though.
>
>
> Paul


More information about the Swan mailing list