[strongSwan] IKEv2: Mobike=no not working

Tue, 23 Feb 2016 11:07:36 -0800 

Hi everyone,
        Do you know if I need to do anything more than setting mobike=no to 
prevent port floating to 4500 in case of intermediate NAT device ? I have tried 
with mobike=no but I still see client attempting connection over port 4500 
starting from IKE_AUTH stage. Below are the config and output logs:

>> Client config
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1


conn ikev2
        type=tunnel
        left=10.20.0.2
        leftcert=sunkariServerCert.pem
        leftid="C=CA, CN=sunkariServer"
        leftfirewall=yes
        leftsendcert=no
        rightid="C=CA, CN=sunkariClient"
        rightcert=sunkariClientCert.pem
        right=%any
        mobike=no
        auto=add


>> Server config:
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn ikev2
        leftcert=sunkariClientCert.pem
        leftid="C=CA, CN=sunkariClient"
        leftfirewall=yes
        leftsendcert=no
        right=10.20.0.2
        rightid="C=CA, CN=sunkariServer"
        rightcert=sunkariServerCert.pem
        #type=transport
        type=tunnel
        mobike=no
        auto=add



>> ipsec up ikev2
initiating IKE_SA ikev2[1] to 10.20.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.10.0.2[500] to 10.20.0.2[500] (708 bytes)
received packet: from 10.20.0.2[500] to 10.10.0.2[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ 
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=CA, O=strongswan, CN=sunkariClient"
sending cert request for "C=CA, O=strongswan, CN=sunkariClient"
sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
authentication of 'C=CA, CN=sunkariClient' (myself) with RSA signature 
successful
establishing CHILD_SA ikev2
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr 
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
retransmit 3 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)
sending keep alive to 10.20.0.2[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.10.0.2[4500] to 10.20.0.2[4500] (716 bytes)


Regards,
Prashant


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to