Project

General

Profile

Issue #3223

Why can't I set MOBIKE to disable?

Added by Bin Liu 22 days ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Category:
network / firewall
Affected version:
5.5.2
Resolution:
No change required

Description

hi,
In my environment,NAT traversal enabled which happens even if no NAT situation exists.So I disable MOBIKE by adding mobike=no to ipsec.conf,But the udp port always automatic floating to 4500.I need your help!
My configuration and run logs are shown below´╝Ü

root@ubuntu:/home/fastgate/misc/strongswan/etc/ipsec.conf.d# cat conn.tunnel.1 
conn %default
    # -- Negotiate --
    keyexchange     = ikev2
    keyingtries     = 1
    mobike          = no
    closeaction     = clear
    # -- IKE SA Lifetime --
    reauth          = no
    # -- IPSEC SA Lifetime --
    rekey           = no
    # -- DPD --
    dpdaction       = clear
    dpddelay        = 10s
    # -- Other --
    right           = %any
    auto            = add
conn tunnel-1
    left          = 192.168.13.100
    leftsubnet    = 0.0.0.0/0
    leftauth      = psk
    leftid        = "*dengjie@psk" 
    rightsourceip = 21.21.21.10-21.21.21.19
    rightauth     = psk

run logs:

15[CFG] received stroke: add connection 'tunnel-1'
15[CFG] conn tunnel-1
15[CFG]   left=192.168.13.100
15[CFG]   leftsubnet=0.0.0.0/0
15[CFG]   leftauth=psk
15[CFG]   leftid=*dengjie@psk
15[CFG]   right=%any
15[CFG]   rightsourceip=21.21.21.10-21.21.21.19
15[CFG]   rightauth=psk
15[CFG]   ike=aes128-sha256-curve25519
15[CFG]   esp=aes128-sha256
15[CFG]   dpddelay=10
15[CFG]   dpdtimeout=150
15[CFG]   dpdaction=1
15[CFG]   closeaction=1
15[CFG]   mediation=no
15[CFG]   keyexchange=ikev2
15[CFG] adding virtual IP address pool 21.21.21.10-21.21.21.19
15[CFG] added configuration 'tunnel-1'

Thanks!

History

#1 Updated by Tobias Brunner 21 days ago

  • Description updated (diff)
  • Status changed from New to Feedback

The client might be forcing UDP encapsulation (i.e. it is faking a NAT situation). Read the log for details.

#2 Updated by Bin Liu 21 days ago

The client is not forcing UDP encapsulation,the client logs are shown below:

Reloading config...

Loading config setup
Loading ca 'CA'
  auto=ignore
Loading conn 'tunnel-0'
  left=192.168.13.12
  leftauth=psk
  leftid=nihqao
  leftsourceip=%config
  right=192.168.13.100
  rightauth=psk
  rightid=222dengjie@psk
  rightsubnet=0.0.0.0/0
  auto=add
  closeaction=none
  dpdaction=restart
  dpddelay=10s
  keyexchange=ikev2
  keyingtries=1
  mobike=no
  reauth=no
  rekey=no

06[CFG] received stroke: add connection 'tunnel-0'
06[CFG] added configuration 'tunnel-0'
cmd:/tmp/ltever/ipsec/strongSwan/libexec/ipsec/stroke up tunnel-0 &
13[CFG] received stroke: initiate 'tunnel-0'
initiating IKE_SA tunnel-0[1] to 192.168.13.100
14[IKE] initiating IKE_SA tunnel-0[1] to 192.168.13.100
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes)
14[NET] sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes)
received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes)
08[NET] received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
remote host is behind NAT
08[IKE] remote host is behind NAT
sending cert request for "CN=Test-RootCA" 
08[IKE] sending cert request for "CN=Test-RootCA" 
authentication of 'nihqao' (myself) with pre-shared key
08[IKE] authentication of 'nihqao' (myself) with pre-shared key
establishing CHILD_SA tunnel-0
08[IKE] establishing CHILD_SA tunnel-0
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes)
08[NET] sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes)
received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes)
05[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
05[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ]
authentication of '222dengjie@psk' with pre-shared key successful
05[IKE] authentication of '222dengjie@psk' with pre-shared key successful
IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk]
05[IKE] IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk]
installing new virtual IP 21.21.21.10
05[IKE] installing new virtual IP 21.21.21.10
connection 'tunnel-0' established successfully
05[IKE] CHILD_SA tunnel-0{1} established with SPIs c4a34e6f_i 0cf8b18f_o and TS 21.21.21.10/32 === 0.0.0.0/0
15[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (80 bytes)

#3 Updated by Tobias Brunner 21 days ago

08[IKE] remote host is behind NAT

The server might be (if there really is no NAT). Do you use kernel-libipsec there?

#4 Updated by Bin Liu 21 days ago

Yes,remote host uses kernel-libipsec.Is it caused by kernel libipsec? How to disable MOBIKE while using kernel-libipsec?

#5 Updated by Tobias Brunner 21 days ago

Is it caused by kernel libipsec?

Yes, it forces UDP encapsulation (read the linked page).

How to disable MOBIKE while using kernel-libipsec?

MOBIKE is disabled with mobike=no, the switch to port 4500 happens because of the enforced UDP encapsulation.

#6 Updated by Bin Liu 20 days ago

This means that using kernel-libipsec can't avoid port switch to 4500?

#7 Updated by Noel Kuntze 20 days ago

Yes, kernel-libipsec requires the usage of UDP encapsulation (switching to port 4500 with the data packets also being exchanged over port 4500).

#8 Updated by Bin Liu 15 days ago

Got it! Thanks.

#9 Updated by Tobias Brunner 11 days ago

  • Category set to network / firewall
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF