I run 3.27 which is last version on stable Debian. I have none of the isakmp-nat-keep-alive packets sent by the server. I see the ones sent by the strongswan Android app. I checked if netfilter is dropping something but this is not happening.
Are the NAT-T keepalives fully independent from the DPD keepalives? dpddelay is 12h... Cheers, Beat On Wed, Mar 11, 2020 at 1:13 AM Paul Wouters <[email protected]> wrote: > > On Mon, 9 Mar 2020, Beat Zahnd wrote: > > > OK. Seems the android client has some unfortunate limitations... > > > >>> Is there a way to force the server to send NAT-T keep-alives to a server, > >>> just to keep the carrier NAT from timing out? > >> > >> libreswan automatically sends NAT-T keepalives every 20s if the client > >> is behind NAT (and the server is not behind NAT). But I think in your > >> case there might be double NAT happening, and your timeout happens on > >> the NAT near the client, not near the server. > > > > NAT is only on the client on the mobile carrier gateway. The server detects > > this properly: > > > > Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL encaps using auto-detect > > Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL this end is NOT behind > > NAT > > Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL that end is behind NAT > > 178.197.x.x > > Mar 9 23:14:44 core pluto[26250]: | NAT_TRAVERSAL nat_keepalive enabled > > 178.197.x.x > > Mar 9 23:14:44 core pluto[26250]: | NAT-Traversal support [enabled] add > > v2N payloads. > > Mar 9 23:14:45 core pluto[26250]: "ikev2-cp"[4] 178.197.x.x #4: > > STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x5d613f24 > > <0xdff1b417 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.x.x:8331 > > DPD=active} > > > > But there are no keepalives from the server. > > that is odd, because we even fixed a bug in 3.28 that send out TOO MANY > keepalives. > > Can you also tcpdump for 30 seconds with "port 4500" and see if any > probes show up there? Once a client is connected from behind NAT. It > should look like this: > > 20:09:20.417203 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: > isakmp-nat-keep-alive > 20:09:40.399935 IP 208.98.222.113.54555 > 193.110.157.148.ipsec-nat-t: > isakmp-nat-keep-alive > > Nothing is logged for these events with pluto though. > > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
