[strongSwan] Some IKEv2 questions

Fred curious_freddy at gmsl.co.uk
Mon Mar 9 11:50:26 CET 2015


On 05/03/2015 09:37, Fred wrote:
> Not sure what kind of things can interfere with the liveness checks
> whilst the tunnel itself works just fine.. <shrug>

Well, I did a bit more playing about on this at the weekend.

Windows 8.1 -> strongSwan

and

Windows Phone 8.1 -> strongSwan.

Both windows devices setup identically (IKEv2 with MSCHAPv2) and set to
route all traffic. Windows 8.1 stays connected and just works.
Windows Phone 8.1 isn't able to access anything over the network after 5
minutes (300s) unless I use the phone constantly. Checking the logs on
the responder end, the SA is destroyed due to inactivity. DPD task tries
to contact my phone, it can't, and eventually after a few retries the SA
is deleted. The reason this isn't a problem for the Windows 8.1 peer is
because traffic is going across the tunnel pretty much constantly. I
guess the desktop is just more chatty so this problem just doesn't
occur. So this just means everything is working as expected. Hmmm, So, 
in a road warrior setup (such as this) it must be fairly common for the 
initiator to not be reachable by the VPN responder (since it will be 
commonly behind NAT). What is the 'correct' thing to do? I could set a 
very high dpddelay (i.e. 3600s) but then I'm losing out when my device 
really is dead. Should the liveness checking work for device behind NAT 
( I cannot see how, since it's an inbound connection to a NAT'd address) 
?? The problem I have with the SA being destroyed is that this wouldn't 
be so bad if the mobile device just opened the tunnel again. However, 
when it's destroyed by strongSwan after the dpddelay the mobile device 
still thinks the connection up. And it only works again after a manually 
restarting the VPN; which is not so good.

Fred


More information about the Users mailing list