[Openswan Users] UDP passive keep-alive scenario success.

[sertys at estates.bg]

I have been dealing with mobile roadwarriors for quite some time. By
mobile i mean Nokia VPN client. Openswan is great with them, but
connectivity is always an issue and 3g/umts gates are not always
standards-compliant. I have been using mainly nokia e51s/e71s with
constant VPN connectivity. Using DPD is a great option to keep the tunnels
alive and properly NAT-mapped, but it drains a lot of power. When in good
coverage the e51s would have lasted 6-8 hours on constant connectivity,
e52s would last like 18-24 hours due to bigger battery and better sleep
mode capabilities. I use a 120s dpd hearbeat delay and everything above
that makes the umts gateway "forget" the udp hole.

I thought of the following dirty hack, involving iptables and the TTL
target.(due to my unwillingness to modify openswan code) It's specific to
the operator i use, but is possibly deployable on any network. I actually
modify the TTL on the isakmp-nat-keepalive packets so that the packet dies
before it reaches the device.
iptables -t mangle -F OUTPUT
iptables -t mangle -A OUTPUT -p udp --sport 4500 -d x.x.0.0/16 -m length
--length 29 -j TTL --ttl-set 6
iptables -t mangle -A OUTPUT -p udp --sport 4500 -d x.x.0.0/16 -m length
--length 29 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp --sport 4500 -m length --length 29 -j
DROP(this line is because i want to NOT send keepalives when devices are
roaming on WLAN or other operator i have no routing data with)

I'm using keep_alive=50s and force_natkeepalive=yes to emmit packets.
The operator has 2 hops after the NAT gateway, which are the key for this
"hack" to work. The packet leaves the udp porthole open and dies on the
hop after, thus not reaching the client device and NOT draining battery
off it.
Now my devices will stay alive for 12-16 hours, given the fact i refresh
connections very often. With fine tuning i think i might reach 24+ hours
of non-stop connectivity.