What trigger the client to send such cookies when staying on the same network? Shall the be sent periodically?
Because if im on GSM with stalled VPN, and then I switch on WiFi, I see the MOBIKE COOKIE on the server: Mar 5 22:12:59 core pluto[12227]: | MOBIKE COOKIE2 received: Mar 5 22:12:59 core pluto[12227]: | 92 5b 56 f3 22 1c 3e 2d e0 75 53 63 ca 70 a1 76 Mar 5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: success MOBIKE update remote address 178.197.x.x:0 -> 10.76.1.183:46671 Mar 5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: MOBIKE request: updating IPsec SA by request And switching back to GSM / disabling WiFI: Mar 5 22:18:36 core pluto[12227]: | MOBIKE COOKIE2 received: Mar 5 22:18:36 core pluto[12227]: | b6 34 90 91 5f 0d ef 86 fa 50 bd 2a b1 29 c3 c8 Mar 5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: success MOBIKE update remote address 10.76.1.183:46671 -> 178.197.x.x:33096 Mar 5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: MOBIKE request: updating IPsec SA by request But I never see MOBIKE COOKIEs when the phone is waking up from sleep... Is this a strongswan app issue? > On 5 Mar 2020, at 21:40, Paul Wouters <[email protected]> wrote: > > On Thu, 5 Mar 2020, Beat Zahnd wrote: > >> Do not yet really understand how the client (mobile phone) shall detect that >> the cellular proider NAT changes the port number. > > It tells the server in a newly encrypted packet that "My IP/port might > have changed, use whatever this packet arrived in as the new IP/port". > > So without the client knowing it, the server knows it and can just > respond. The "newly encrypted" packet has a sequence number so an > attacker cannot replay an old packet with a bogus IP/port as denial > of service attack. > >> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the >> Android standard VPN client this was never a problem. > > maybe racoon prevented your phone from going into sleep mode completely? > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
