[strongSwan] IKEv2 retransmission of Android app

Tobias Brunner tobias at strongswan.org
Thu Feb 16 11:18:31 CET 2017


>     > But how can I control this on Android? Is it hardcoded somewhere? If
>     > yes, can somebody help me and point me to the right direction?
> 
>     See [1] or [2].
> 
> Where is [1] or [2]? :)

Odd, I distinctly remember pasting the links into an email.  Anyway,
here they are:

[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c;h=b9f6f1dda0db04c2f64ac9411b22406385b132ba;hb=HEAD#l43
[2]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c;h=b9f6f1dda0db04c2f64ac9411b22406385b132ba;hb=HEAD#l464

>     > I'm trying to use OTP to authenticate IKEv2. So far, so good, but the
>     > main issue is to maintain the tunnel as long as possible - I don't
>     want
>     > to put my OTP every time I loss of coverage occurs.
> 
>     Why would that cause the IKE_SA to get reestablished?  MOBIKE should
>     take care of that, that is, there shouldn't be any packets sent and,
>     therefore, no retransmits while connectivity is down.  And afterwards
>     the existing SAs should simply get updated via MOBIKE.
> 
> But If there is a loss of connection for 5 minutes, then on the server I
> see 
> that:
> 
>  lease 10.10.10.2 by 'Foo' went offline

That has nothing to do with the retransmission settings on the client.
Rather the DPD and retransmission (and rekeying) settings on the server.
 So make sure the server does not terminate the SA if the client is not
reachable for longer periods of time (to clean out old SAs a DPD
interval of several hours could still be useful).

Regards,
Tobias



More information about the Users mailing list