[strongSwan] IKEv2: Mobike=no not working

Prashant Sunkari P.Sunkari at F5.com
Tue Feb 23 20:06:55 CET 2016 

Hi everyone,
        Do you know if I need to do anything more than setting mobike=no to prevent port floating to 4500 in case of intermediate NAT device ? I have tried with mobike=no but I still see client attempting connection over port 4500 starting from IKE_AUTH stage. Below are the config and output logs:

>> Client config
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1


conn ikev2
        type=tunnel
        left=10.20.0.2
        leftcert=sunkariServerCert.pem
        leftid="C=CA, CN=sunkariServer"
        leftfirewall=yes
        leftsendcert=no
        rightid="C=CA, CN=sunkariClient"
        rightcert=sunkariClientCert.pem
        right=%any
        mobike=no
        auto=add


>> Server config:
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn ikev2
        leftcert=sunkariClientCert.pem
        leftid="C=CA, CN=sunkariClient"
        leftfirewall=yes
        leftsendcert=no
        right=10.20.0.2
        rightid="C=CA, CN=sunkariServer"
        rightcert=sunkariServerCert.pem
        #type=transport
        type=tunnel
        mobike=no
        auto=add



>> ipsec up ikev2
initiating IKE_SA ikev2[1] to 10.20.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.10.0.2[500] to 10.20.0.2[500] (708 bytes)
received packet: from 10.20.0.2[500] to 10.10.0.2[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=CA, O=strongswan, CN=sunkariClient"
sending cert request for "C=CA, O=strongswan, CN=sunkariClient"
sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
authentication of 'C=CA, CN=sunkariClient' (myself) with RSA signature successful
establishing CHILD_SA ikev2
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 3 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
sending keep alive to 10.20.0.2[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)


Regards,
Prashant

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160223/d33f8633/attachment.html>

More information about the Users mailing list