On iPhones, any wake up from sleep or network change will send a MOBIKE UPDATE message. I don’t know about strongswan client behaviour.
It might be a strongswan bug. Sent from my iPhone > On Mar 5, 2020, at 16:21, Beat Zahnd <[email protected]> wrote: > > What trigger the client to send such cookies when staying on the same > network? Shall the be sent periodically? > > Because if im on GSM with stalled VPN, and then I switch on WiFi, I see the > MOBIKE COOKIE on the server: > > Mar 5 22:12:59 core pluto[12227]: | MOBIKE COOKIE2 received: > Mar 5 22:12:59 core pluto[12227]: | 92 5b 56 f3 22 1c 3e 2d e0 75 53 63 > ca 70 a1 76 > Mar 5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: success > MOBIKE update remote address 178.197.x.x:0 -> 10.76.1.183:46671 > Mar 5 22:12:59 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: MOBIKE > request: updating IPsec SA by request > > And switching back to GSM / disabling WiFI: > > Mar 5 22:18:36 core pluto[12227]: | MOBIKE COOKIE2 received: > Mar 5 22:18:36 core pluto[12227]: | b6 34 90 91 5f 0d ef 86 fa 50 bd 2a > b1 29 c3 c8 > Mar 5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 10.76.1.183 #7: success > MOBIKE update remote address 10.76.1.183:46671 -> 178.197.x.x:33096 > Mar 5 22:18:36 core pluto[12227]: "ikev2-cp"[8] 178.197.x.x #7: MOBIKE > request: updating IPsec SA by request > > But I never see MOBIKE COOKIEs when the phone is waking up from sleep... > > Is this a strongswan app issue? > > > >> On 5 Mar 2020, at 21:40, Paul Wouters <[email protected]> wrote: >> >> On Thu, 5 Mar 2020, Beat Zahnd wrote: >> >>> Do not yet really understand how the client (mobile phone) shall detect >>> that the cellular proider NAT changes the port number. >> >> It tells the server in a newly encrypted packet that "My IP/port might >> have changed, use whatever this packet arrived in as the new IP/port". >> >> So without the client knowing it, the server knows it and can just >> respond. The "newly encrypted" packet has a sequence number so an >> attacker cannot replay an old packet with a bogus IP/port as denial >> of service attack. >> >>> I recently switched from raccoon/xl2tpd to libreswan IKEv2. Using the >>> Android standard VPN client this was never a problem. >> >> maybe racoon prevented your phone from going into sleep mode completely? >> >> Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
