What trigger the client to send such cookies when staying on the same network? 
Shall the be sent periodically?

Because if im on GSM with stalled VPN, and then I switch on WiFi, I see the 
MOBIKE COOKIE on the server:

Mar  5 22:12:59 core pluto[12227]: | MOBIKE COOKIE2 received:
Mar  5 22:12:59 core pluto[12227]: |   92 5b 56 f3  22 1c 3e 2d  e0 75 53 63  
ca 70 a1 76
Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7:  success 
MOBIKE update remote address 178.197.x.x:0 -> 10.76.1.183:46671
Mar  5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: MOBIKE 
request: updating IPsec SA by request

And switching back to GSM / disabling WiFI:

Mar  5 22:18:36 core pluto[12227]: | MOBIKE COOKIE2 received:
Mar  5 22:18:36 core pluto[12227]: |   b6 34 90 91  5f 0d ef 86  fa 50 bd 2a  
b1 29 c3 c8
Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7:  success 
MOBIKE update remote address 10.76.1.183:46671 -> 178.197.x.x:33096
Mar  5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: MOBIKE 
request: updating IPsec SA by request

But I never see MOBIKE COOKIEs when the phone is waking up from sleep...

Is this a strongswan app issue?



> On 5 Mar 2020, at 21:40, Paul Wouters <[email protected]> wrote:
> 
> On Thu, 5 Mar 2020, Beat Zahnd wrote:
> 
>> Do not yet really understand how the client (mobile phone) shall detect that 
>> the cellular proider NAT changes the port number.
> 
> It tells the server in a newly encrypted packet that "My IP/port might
> have changed, use whatever this packet arrived in as the new IP/port".
> 
> So without the client knowing it, the server knows it and can just
> respond. The "newly encrypted" packet has a sequence number so an
> attacker cannot replay an old packet with a bogus IP/port as denial
> of service attack.
> 
>> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the 
>> Android standard VPN client this was never a problem.
> 
> maybe racoon prevented your phone from going into sleep mode completely?
> 
> Paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to