[strongSwan] Query for Mobike responder behavior

Mukesh Yadav write2mukesh84 at gmail.com
Mon Apr 4 17:45:10 CEST 2016

HI All,

I have a query for scenario mentioned in RFC 4555 Sectoin 3.3.
Any input or reference will be appreciated...

Query is regarding Responder's behavior w.r.t to UDP encapsulation of
Ikev2/ESP when all exchange till IKE_Auth completion is done on port 500...

*"The addresses are taken from the IKE_AUTH request because IKEv2 requires
changing from port 500 to 4500 if a NAT is discovered. To simplify things,
implementations that support both this specification and NAT Traversal MUST
change to port 4500 if the correspondent also supports both, even if no NAT
was detected between them (this way, there is no need to change the ports
later if a NAT is detected on some other path)."*

Crux of this para is that if NAT traversal and mobike both are supported at
both IPsec end-points, then implementation shall change to port 4500.

Both peers support NAT traversal will be found at IKE_SA_INIT exchange and
Mobike support will be found after IKE_AUTH exchange is done..

In case of multi-round AUTH like EAP-AKA, initiator will get to know
responder's mobike capability in last round of IKE_Auth response when it
sends Mobike_supported as per RFC4555 Section 3.3

Hence initiator will use port 4500 only for IKEv2 message after IKE_Auth
i.e in any Ikev2 message like CREATE_CHILDSA_* or DPD..

I am doubtful regarding Responder behavior after IKE_AUTH completion..
Shall responder use port 4500 for any IKEv2 request/UDP encapsulated ESP
packet towards initiator right after IKE_AUTH completion or wait till
initiator sends some Ikev2 packet with port 4500...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160404/5bdfd8f2/attachment.html>

More information about the Users mailing list