[strongSwan-dev] Fwd: MOBIKE support

Tobias Brunner tobias at strongswan.org
Tue Mar 29 18:24:41 CEST 2011 

Hi Patricia,

>     00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1)

Can you try your scenario with a newer version?  We actually changed 
several aspects of the MOBIKE implementation with 4.5.0 (some details 
below).

> If I disable the eth0 interface, strongswan updates at first the IP
> available pool sending an INFORMATIONAL[ N(ADD_4_ADDR) ] from the eth1
> interface (the unique interface available) and then sends the update
> address (INFORMATIONAL [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP)
> N(COOKIE2) ].

The first INFORMATIONAL exchange you are seeing is a path probe message 
to check if a specific combination of local and remote addresses is 
valid.  Before 4.5.0 ADDITIONAL_IP*_ADDRESS payloads were added to these 
exchanges.  In newer releases you would only see empty INFORMATIONAL 
exchanges and then the exchange containing the UPDATE_SA_ADDRESSES etc.

> Why it doesn't send the N(UPD_SA_ADDR) first of all?

Charon first checks for a valid path between the two peers.  Only if it 
finds one it sends an UPDATE_SA_ADDRESSES payload to update the 
endpoints of the IPsec SA.

 > The responder peer can accept packets from other IPs without receive
 > the N(UPD_SA_ADDR)?

I'm not sure what you are referring to here.  If you refer to the 
dynamic updates as described in RFC 5996, Section 2.23, then the answer 
is no since MOBIKE explicitly disallows updates for messages that do not 
contain an UPDATE_SA_ADDRESSES payload.  For ESP packets the answer 
might be yes, that is, responders may accept authenticated packets from 
a different IP address than originally configured.  But charon actually 
does not update the locally installed IPsec policies until it sends the 
UPD_SA_ADDR.

> Finally, when the initiator peer has only one interface available and it
> sends the INFORMATIONAL[ N(ADD_4_ADDR) ] to update the list, why doesn't
> send a  INFORMATIONAL[ N(NO_ADD_ADDR) ]?

As I wrote above these path probe exchanges do not contain any 
ADD_*_ADDR or NO_ADD_ADDR payloads in newer releases.  That an 
ADD_*_ADDR payload was added instead of a NO_ADD_ADDR payload was simply 
a bug.

Regards,
Tobias

More information about the Dev mailing list