[strongSwan] Query for Mobike responder behavior

Tobias Brunner tobias at strongswan.org
Tue Apr 5 10:27:52 CEST 2016 

Hi Mukesh,

> Crux of this para is that if NAT traversal and mobike both are supported
> at both IPsec end-points, then implementation shall change to port 4500.
> 
> Both peers support NAT traversal will be found at IKE_SA_INIT exchange
> and Mobike support will be found after IKE_AUTH exchange is done.. 
> 
> In case of multi-round AUTH like EAP-AKA, initiator will get to know
> responder's mobike capability in last round of IKE_Auth response when it
> sends Mobike_supported as per RFC4555 Section 3.3

Correct.  As you point out what RFC 4555 mandates does not really work.

> Hence initiator will use port 4500 only for IKEv2 message after IKE_Auth
> completion.

Or an initiator that supports MOBIKE will just always switch to port
4500 when sending the first IKE_AUTH request.  That's what strongSwan
does if MOBIKE is enabled and NAT-T is supported by the peer.  This is
no problem and not directly related to UDP encapsulation of ESP, which
strongSwan only uses if a NAT is actually detected.  As RFC 7296 puts it:

  "An initiator can use port 4500 for both IKE and ESP, regardless of
   whether or not there is a NAT, even at the beginning of IKE.  When
   either side is using port 4500, sending ESP with UDP encapsulation is
   not required, but understanding received UDP-encapsulated ESP packets
   is required."

> I am doubtful regarding Responder behavior after IKE_AUTH completion..
> Shall responder use port 4500 for any IKEv2 request/UDP encapsulated ESP
> packet towards initiator right after IKE_AUTH completion or wait till
> initiator sends some Ikev2 packet with port 4500...

The responder has no way of changing the ports, in particular, if the
client is behind a NAT it can't know the port to which the client's port
4500 will be mapped.  It just responds and initiates exchanges to the
same endpoint from which it received the requests.  Or as RFC 7296 puts it:

  "An implementation MUST
   accept incoming requests even if the source port is not 500 or 4500,
   and MUST respond to the address and port from which the request was
   received.  It MUST specify the address and port at which the request
   was received as the source address and port in the response."

Regards,
Tobias

More information about the Users mailing list