Issue #3223
Why can't I set MOBIKE to disable?
Affected version:
5.5.2
Resolution:
No change required
Description
hi,
In my environment,NAT traversal enabled which happens even if no NAT situation exists.So I disable MOBIKE by adding mobike=no to ipsec.conf,But the udp port always automatic floating to 4500.I need your help!
My configuration and run logs are shown below:
root@ubuntu:/home/fastgate/misc/strongswan/etc/ipsec.conf.d# cat conn.tunnel.1
conn %default
# -- Negotiate --
keyexchange = ikev2
keyingtries = 1
mobike = no
closeaction = clear
# -- IKE SA Lifetime --
reauth = no
# -- IPSEC SA Lifetime --
rekey = no
# -- DPD --
dpdaction = clear
dpddelay = 10s
# -- Other --
right = %any
auto = add
conn tunnel-1
left = 192.168.13.100
leftsubnet = 0.0.0.0/0
leftauth = psk
leftid = "*dengjie@psk"
rightsourceip = 21.21.21.10-21.21.21.19
rightauth = psk
run logs:
15[CFG] received stroke: add connection 'tunnel-1' 15[CFG] conn tunnel-1 15[CFG] left=192.168.13.100 15[CFG] leftsubnet=0.0.0.0/0 15[CFG] leftauth=psk 15[CFG] leftid=*dengjie@psk 15[CFG] right=%any 15[CFG] rightsourceip=21.21.21.10-21.21.21.19 15[CFG] rightauth=psk 15[CFG] ike=aes128-sha256-curve25519 15[CFG] esp=aes128-sha256 15[CFG] dpddelay=10 15[CFG] dpdtimeout=150 15[CFG] dpdaction=1 15[CFG] closeaction=1 15[CFG] mediation=no 15[CFG] keyexchange=ikev2 15[CFG] adding virtual IP address pool 21.21.21.10-21.21.21.19 15[CFG] added configuration 'tunnel-1'
Thanks!
History
#1 Updated by Tobias Brunner about 1 year ago
- Description updated (diff)
- Status changed from New to Feedback
The client might be forcing UDP encapsulation (i.e. it is faking a NAT situation). Read the log for details.
#2 Updated by Bin Liu about 1 year ago
The client is not forcing UDP encapsulation,the client logs are shown below:
Reloading config...
Loading config setup Loading ca 'CA' auto=ignore Loading conn 'tunnel-0' left=192.168.13.12 leftauth=psk leftid=nihqao leftsourceip=%config right=192.168.13.100 rightauth=psk rightid=222dengjie@psk rightsubnet=0.0.0.0/0 auto=add closeaction=none dpdaction=restart dpddelay=10s keyexchange=ikev2 keyingtries=1 mobike=no reauth=no rekey=no
06[CFG] received stroke: add connection 'tunnel-0'
06[CFG] added configuration 'tunnel-0'
cmd:/tmp/ltever/ipsec/strongSwan/libexec/ipsec/stroke up tunnel-0 &
13[CFG] received stroke: initiate 'tunnel-0'
initiating IKE_SA tunnel-0[1] to 192.168.13.100
14[IKE] initiating IKE_SA tunnel-0[1] to 192.168.13.100
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes)
14[NET] sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes)
received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes)
08[NET] received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
remote host is behind NAT
08[IKE] remote host is behind NAT
sending cert request for "CN=Test-RootCA"
08[IKE] sending cert request for "CN=Test-RootCA"
authentication of 'nihqao' (myself) with pre-shared key
08[IKE] authentication of 'nihqao' (myself) with pre-shared key
establishing CHILD_SA tunnel-0
08[IKE] establishing CHILD_SA tunnel-0
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes)
08[NET] sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes)
received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes)
05[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
05[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
authentication of '222dengjie@psk' with pre-shared key successful
05[IKE] authentication of '222dengjie@psk' with pre-shared key successful
IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk]
05[IKE] IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk]
installing new virtual IP 21.21.21.10
05[IKE] installing new virtual IP 21.21.21.10
connection 'tunnel-0' established successfully
05[IKE] CHILD_SA tunnel-0{1} established with SPIs c4a34e6f_i 0cf8b18f_o and TS 21.21.21.10/32 === 0.0.0.0/0
15[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (80 bytes)
#3 Updated by Tobias Brunner about 1 year ago
08[IKE] remote host is behind NAT
The server might be (if there really is no NAT). Do you use kernel-libipsec there?
#4 Updated by Bin Liu about 1 year ago
Yes,remote host uses kernel-libipsec.Is it caused by kernel libipsec? How to disable MOBIKE while using kernel-libipsec?
#5 Updated by Tobias Brunner about 1 year ago
Is it caused by kernel libipsec?
Yes, it forces UDP encapsulation (read the linked page).
How to disable MOBIKE while using kernel-libipsec?
MOBIKE is disabled with mobike=no, the switch to port 4500 happens because of the enforced UDP encapsulation.
#6 Updated by Bin Liu about 1 year ago
This means that using kernel-libipsec can't avoid port switch to 4500?
#7 Updated by Noel Kuntze about 1 year ago
Yes, kernel-libipsec requires the usage of UDP encapsulation (switching to port 4500 with the data packets also being exchanged over port 4500).
#8 Updated by Bin Liu about 1 year ago
Got it! Thanks.
#9 Updated by Tobias Brunner about 1 year ago
- Category set to network / firewall
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required