Issue #3223
Why can't I set MOBIKE to disable?
Description
hi,
In my environment,NAT traversal enabled which happens even if no NAT situation exists.So I disable MOBIKE by adding mobike=no to ipsec.conf,But the udp port always automatic floating to 4500.I need your help!
My configuration and run logs are shown below:
root@ubuntu:/home/fastgate/misc/strongswan/etc/ipsec.conf.d# cat conn.tunnel.1 conn %default # -- Negotiate -- keyexchange = ikev2 keyingtries = 1 mobike = no closeaction = clear # -- IKE SA Lifetime -- reauth = no # -- IPSEC SA Lifetime -- rekey = no # -- DPD -- dpdaction = clear dpddelay = 10s # -- Other -- right = %any auto = add conn tunnel-1 left = 192.168.13.100 leftsubnet = 0.0.0.0/0 leftauth = psk leftid = "*dengjie@psk" rightsourceip = 21.21.21.10-21.21.21.19 rightauth = psk
run logs:
15[CFG] received stroke: add connection 'tunnel-1' 15[CFG] conn tunnel-1 15[CFG] left=192.168.13.100 15[CFG] leftsubnet=0.0.0.0/0 15[CFG] leftauth=psk 15[CFG] leftid=*dengjie@psk 15[CFG] right=%any 15[CFG] rightsourceip=21.21.21.10-21.21.21.19 15[CFG] rightauth=psk 15[CFG] ike=aes128-sha256-curve25519 15[CFG] esp=aes128-sha256 15[CFG] dpddelay=10 15[CFG] dpdtimeout=150 15[CFG] dpdaction=1 15[CFG] closeaction=1 15[CFG] mediation=no 15[CFG] keyexchange=ikev2 15[CFG] adding virtual IP address pool 21.21.21.10-21.21.21.19 15[CFG] added configuration 'tunnel-1'
Thanks!
History
#1 Updated by Tobias Brunner about 1 year ago
- Description updated (diff)
- Status changed from New to Feedback
The client might be forcing UDP encapsulation (i.e. it is faking a NAT situation). Read the log for details.
#2 Updated by Bin Liu about 1 year ago
The client is not forcing UDP encapsulation,the client logs are shown below:
Reloading config...
Loading config setup Loading ca 'CA' auto=ignore Loading conn 'tunnel-0' left=192.168.13.12 leftauth=psk leftid=nihqao leftsourceip=%config right=192.168.13.100 rightauth=psk rightid=222dengjie@psk rightsubnet=0.0.0.0/0 auto=add closeaction=none dpdaction=restart dpddelay=10s keyexchange=ikev2 keyingtries=1 mobike=no reauth=no rekey=no
06[CFG] received stroke: add connection 'tunnel-0' 06[CFG] added configuration 'tunnel-0' cmd:/tmp/ltever/ipsec/strongSwan/libexec/ipsec/stroke up tunnel-0 & 13[CFG] received stroke: initiate 'tunnel-0' initiating IKE_SA tunnel-0[1] to 192.168.13.100 14[IKE] initiating IKE_SA tunnel-0[1] to 192.168.13.100 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes) 14[NET] sending packet: from 192.168.13.12[500] to 192.168.13.100[500] (780 bytes) received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes) 08[NET] received packet: from 192.168.13.100[500] to 192.168.13.12[500] (576 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] remote host is behind NAT 08[IKE] remote host is behind NAT sending cert request for "CN=Test-RootCA" 08[IKE] sending cert request for "CN=Test-RootCA" authentication of 'nihqao' (myself) with pre-shared key 08[IKE] authentication of 'nihqao' (myself) with pre-shared key establishing CHILD_SA tunnel-0 08[IKE] establishing CHILD_SA tunnel-0 generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ] 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ] sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes) 08[NET] sending packet: from 192.168.13.12[4500] to 192.168.13.100[4500] (416 bytes) received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes) 05[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (240 bytes) parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ] 05[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr ] authentication of '222dengjie@psk' with pre-shared key successful 05[IKE] authentication of '222dengjie@psk' with pre-shared key successful IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk] 05[IKE] IKE_SA tunnel-0[1] established between 192.168.13.12[nihqao]...192.168.13.100[222dengjie@psk] installing new virtual IP 21.21.21.10 05[IKE] installing new virtual IP 21.21.21.10 connection 'tunnel-0' established successfully 05[IKE] CHILD_SA tunnel-0{1} established with SPIs c4a34e6f_i 0cf8b18f_o and TS 21.21.21.10/32 === 0.0.0.0/0 15[NET] received packet: from 192.168.13.100[4500] to 192.168.13.12[4500] (80 bytes)
#3 Updated by Tobias Brunner about 1 year ago
08[IKE] remote host is behind NAT
The server might be (if there really is no NAT). Do you use kernel-libipsec there?
#4 Updated by Bin Liu about 1 year ago
Yes,remote host uses kernel-libipsec.Is it caused by kernel libipsec? How to disable MOBIKE while using kernel-libipsec?
#5 Updated by Tobias Brunner about 1 year ago
Is it caused by kernel libipsec?
Yes, it forces UDP encapsulation (read the linked page).
How to disable MOBIKE while using kernel-libipsec?
MOBIKE is disabled with mobike=no, the switch to port 4500 happens because of the enforced UDP encapsulation.
#6 Updated by Bin Liu about 1 year ago
This means that using kernel-libipsec can't avoid port switch to 4500?
#7 Updated by Noel Kuntze about 1 year ago
Yes, kernel-libipsec requires the usage of UDP encapsulation (switching to port 4500 with the data packets also being exchanged over port 4500).
#8 Updated by Bin Liu about 1 year ago
Got it! Thanks.
#9 Updated by Tobias Brunner about 1 year ago
- Category set to network / firewall
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required