OK. Seems the android client has some unfortunate limitations...
>> Is there a way to force the server to send NAT-T keep-alives to a server,
>> just to keep the carrier NAT from timing out?
>
> libreswan automatically sends NAT-T keepalives every 20s if the client
> is behind NAT (and the server is not behind NAT). But I think in your
> case there might be double NAT happening, and your timeout happens on
> the NAT near the client, not near the server.
NAT is only on the client on the mobile carrier gateway. The server detects
this properly:
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind NAT
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT
178.197.x.x
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled
178.197.x.x
Mar 9 23:14:44 core pluto[26250]: | NAT-Traversal support [enabled] add v2N
payloads.
Mar 9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24
<0xdff1b417 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331
DPD=active}
But there are no keepalives from the server.
On the server NAT is only for non-ipsec traffic:
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 2664 RETURN all -- * vlan5 0.0.0.0/0 0.0.0.0/0
policy match dir out pol ipsec
4193K 487M MASQUERADE all -- * vlan5 0.0.0.0/0 0.0.0.0/0
as explained in https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
