Hi, > I do not understand why port 4500 is used. I shouldn't have a NATed > setup.
A MOBIKE enabled peer always switches to port 4500 for IKE_AUTH, this is the intended behavior. > 12[ENC] parsed INFORMATIONAL request 268 [ D ] > 12[IKE] received DELETE for IKE_SA kronecker.scientia.net[2] > 12[IKE] restarting CHILD_SA kronecker.scientia.net > 12[IKE] initiating IKE_SA kronecker.scientia.net[4] to 77.37.6.134 > 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > ] > 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 03[IKE] 77.37.6.134 is initiating an IKE_SA Looks like a bug if reauth=yes is used in conjunction with dpdaction=restart and uniqueids=yes. If an IKE_SA is deleted for some reason, the responding peer tries to reestablish the same with the restart action. However, the peer deleting the SA actually does a reauthentication by close-and-reestablish, resulting in redundant IKE_SAs. This probably triggers the unique checking of an IKE_SA, and again, deletes one of them. The main issue here is the problematic reauthentication procedure defined by the IKEv2 protocol. I'd highly recommend to disable it with reauth=no, as it is usually useless from a security perspective if the user does not have to reenter his credentials manually. There is currently a discussion about a proper reauthentication extensions for IKEv2 on the IPsec mailing list. We probably should drive that thing forward and fix all the problems resulting from reauthentication. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
