On Mon, 9 Mar 2020, Beat Zahnd wrote:
OK. Seems the android client has some unfortunate limitations...
Is there a way to force the server to send NAT-T keep-alives to a server, just
to keep the carrier NAT from timing out?
libreswan automatically sends NAT-T keepalives every 20s if the client
is behind NAT (and the server is not behind NAT). But I think in your
case there might be double NAT happening, and your timeout happens on
the NAT near the client, not near the server.
NAT is only on the client on the mobile carrier gateway. The server detects
this properly:
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind NAT
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT
178.197.x.x
Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled
178.197.x.x
Mar 9 23:14:44 core pluto[26250]: | NAT-Traversal support [enabled] add v2N
payloads.
Mar 9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4: STATE_V2_IPSEC_R:
IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24 <0xdff1b417
xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331 DPD=active}
But there are no keepalives from the server.
that is odd, because we even fixed a bug in 3.28 that send out TOO MANY
keepalives.
Can you also tcpdump for 30 seconds with "port 4500" and see if any
probes show up there? Once a client is connected from behind NAT. It
should look like this:
20:09:20.417203 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t:
isakmp-nat-keep-alive
20:09:40.399935 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t:
isakmp-nat-keep-alive
Nothing is logged for these events with pluto though.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
